At a glance
- NIS is intended to establish a common level of security for network and information systems. These systems play a vital role in the economy and wider society, and NIS aims to address the threats posed to them from a range of areas, most notably cyber-attacks.
- Although NIS primarily concerns cybersecurity measures, it also covers physical and environmental factors.
- NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). This guide provides details about the requirements NIS places on RDSPs. Although aimed at RDSPs, it may also be useful for OES.
- There is a general exemption for digital services that are small and micro-businesses, unless they are part of a larger group or are controlled by larger organisations.
- The ICO is the ‘competent authority’ for RDSPs. We have a range of powers that we can use to enforce NIS, including issuing fines of up to £17 million in the most serious cases.
What does NIS mean?
'NIS’ is shorthand for ‘network and information systems’. It refers to:
- electronic communications networks;
- devices or groups of interconnected devices that automatically process digital data; or
- digital data stored, received or transmitted by either of the above, for the purposes of their operation, use, protection and maintenance.
Read the key definitions section of this guide for more specific detail.
What are the NIS Regulations?
The NIS Regulations are the ‘Network and Information Systems Regulations 2018’ which came into force on 10 May 2018.
The Regulations intend to address the threats posed to network and information systems and therefore aim to improve the functioning of the digital economy.
Network and information systems play a vital role in society, and their reliability and security are essential for economic and societal activities. However, the magnitude, frequency and impact of security incidents are increasing, and network and information systems may become a target for harmful actions.
In addition to the NIS Regulations, the overall UK NIS regime includes an implementing act for digital service providers. This is known as the ‘DSP regulation’, and specifies security requirements and incident reporting thresholds for certain organisations.
This guide uses the single term ‘NIS’ to refer to the overall legal framework, including the NIS Regulations and the DSP Regulation.
Is NIS a cybersecurity law?
NIS is primarily aimed at improving cybersecurity, but is not in itself a cybersecurity law. It relates to any ‘incident’ that has an impact on a service, where that impact produces a significant disruptive effect. It also includes impacts that have ‘non-cyber’ causes, for example interruptions to power supplies or natural disasters such as flooding.
An organisation in scope of NIS processes information on a number of servers in its data centre. These servers are subject to a number of technical measures to prevent external attackers from infiltrating them, eg firewalls and access controls etc.
However, one day, routine maintenance in the data centre leads to the power supply to one or more of these servers being disconnected accidentally. Unless the organisation stores its information with multiple redundancy, any information stored on the disconnected server is no longer available. This may in turn cause the organisation’s service to undergo a significant disruptive effect; ie the information on the disconnected device is not available which in turn impacts the provision of the service itself.
This is still an ‘incident’ as defined by NIS, even though no cyber-attack caused it.
What organisations does NIS cover?
NIS applies to two groups of organisations:
- operators of essential services (OES); and
- relevant digital service providers (RDSPs).
You are a ‘relevant digital service provider’ if you:
- provide one or more of the following digital services: an online search engine, an online marketplace, and a cloud computing service;
- have your head office in the UK, or have nominated a UK representative; and
- don’t meet the definition of a micro or small enterprise – this definition applies where you have fewer than 50 staff and an annual turnover or balance sheet of below €10 million.
The ICO regulates RDSPs, not OES. However, we also have a regulatory function over both types of service wherever those organisations are processing personal data. This is because in many cases OES and RDSPs will be data controllers and therefore data protection law also applies to them.
Are there any exemptions?
Yes. NIS has a general exemption for small and micro businesses. If you provide a digital service but have fewer than 50 staff and an annual turnover or balance sheet below €10 million, you are not an RDSP and therefore NIS does not apply to you.
If your digital service is part of a larger organisation, you need to count the whole organisation’s staff and turnover when assessing if NIS applies. For example, on its own the digital service could meet the small business exemption, but if it is part of a larger group (or is controlled by larger organisations) and that group has more than 50 staff and an annual turnover or balance sheet above €10 million, then the digital service is in scope of NIS.
However, irrespective of your size, if you are processing personal data in connection with your service, you are still covered by the UK GDPR. This guide provides more information about the relationship between NIS and the UK GDPR later.
What action can the ICO take to enforce NIS?
The ICO can take several different actions to enforce NIS. These include enforcement notices, powers of inspection and penalties. We can issue a monetary penalty of up to £17 million in the most serious cases.
These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.
More information about these enforcement powers is provided in the enforcement section of this guide.
These enforcement powers are separate from those we have available under data protection law. In cases where a NIS incident impacts on personal data, we are able to take action under both NIS and data protection law if it is appropriate and proportionate to do so.
This is also the case where a NIS incident affects an OES. If that incident is also a personal data breach, or leads to a personal data breach, then the ICO has a regulatory function.