At a glance
- NIS is intended to establish a common level of security for network and information systems. These systems play a vital role in the economy and wider society, and NIS aims to address the threats posed to them from a range of areas, most notably cyber-attacks.
- Although NIS primarily concerns cybersecurity measures, it also covers physical and environmental factors.
- NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). This guide provides details about the requirements NIS places on RDSPs. Although aimed at RDSPs, it may also be useful for OES.
- There is a general exemption for digital services that are small and micro-businesses, unless they are part of a larger group or are controlled by larger organisations.
- The ICO is the ‘competent authority’ for RDSPs. We have a range of powers that we can use to enforce NIS, including issuing fines of up to £17 million in the most serious cases.
What is NIS?
NIS stands for the ‘Network and Information Systems Regulations 2018’. These are derived from European law. They implement European Directive 2016/1148 on a high common level of security of network and information systems across the Union, also known as the ‘NIS Directive’.
The EU Commission has also published an implementing act, Regulation 2018/151, referred to in this Guide as the ‘DSP Regulation’. It is specifically concerned with digital service providers, including their security requirements and incident reporting thresholds.
What is NIS intended to address?
The aims of NIS are outlined in the EU Directive. NIS is intended to address the threats posed to network and information systems and therefore improve the functioning of the digital economy.
These systems play a vital role in society, and their reliability and security are essential for economic and societal activities. However, the magnitude, frequency and impact of security incidents are increasing, and network and information systems may become a target for harmful actions.
Is NIS a cybersecurity law?
NIS relates to any ‘incident’ that has an impact on a service, where that impact produces a significant disruptive effect. It is primarily aimed at improving cybersecurity, but is not in itself a cybersecurity law. It also includes impacts that have ‘non-cyber’ causes, for example interruptions to power supplies or natural disasters such as flooding.
An organisation in scope of NIS processes information on a number of servers in its data centre. These servers are subject to a number of technical measures to prevent external attackers from infiltrating them, eg firewalls and access controls etc.
However, one day, routine maintenance in the data centre leads to the power supply to one or more of these servers being disconnected accidentally. Unless the organisation stores its information with multiple redundancy, any information stored on the disconnected server is no longer available. This may in turn cause the organisation’s service to undergo a significant disruptive effect; ie the information on the disconnected device is not available which in turn impacts the provision of the service itself.
This is still an ‘incident’ as defined by NIS, even though no cyber-attack caused it.
What organisations does NIS cover?
NIS applies to two groups of organisations:
- operators of essential services (OES); and
- relevant digital service providers (RDSPs).
You are a ‘relevant digital service provider’ if you:
- provide one or more of the following digital services: an online search engine, an online marketplace, and a cloud computing service;
- have your head office in the UK, or have nominated a UK representative; and
- have more than 50 staff and a turnover or balance sheet of more than €10 million.
The ICO regulates RDSPs, not OES. However, we also have a regulatory function over both types of service wherever those organisations are processing personal data. This is because in many cases OES and RDSPs will be data controllers and therefore data protection law also applies to them.
Are there any exemptions?
Yes. NIS has a general exemption for small and micro businesses. If you provide a digital service but have fewer than 50 staff and a turnover or balance sheet of less than €10 million, you are not an RDSP and therefore NIS does not apply to you.
If your digital service is part of a larger organisation, you need to count the whole organisation’s staff and turnover when assessing if NIS applies. For example, the digital service on its own could meet the small business exemption, but if it is part of a larger group (or is controlled by larger organisations) and that group has more than 50 staff and a turnover or balance sheet of more than €10 million, then the digital service would be in scope of NIS.
However, irrespective of your size, if you are processing personal data in connection with your service, you are still covered by the General Data Protection Regulation (GDPR). This guide provides more information about the relationship between NIS and the GDPR later.
In more detail – ICO guidance
Read our Guide to the GDPR for information about your obligations under data protection law.
You can also read the GDPR and NIS section of this guide for more information.
What action can the ICO take to enforce NIS?
The ICO can take several different actions to enforce NIS. These include enforcement notices, powers of inspection and penalties. We can issue a monetary penalty of up to £17 million in the most serious cases.
These powers are not mutually exclusive. We will use them in combination where justified by the circumstances.
More information about these enforcement powers is provided in the enforcement section of this guide.
These enforcement powers are separate from those we have available under data protection law. In cases where a NIS incident impacts on personal data, we are able to take action under both NIS and data protection law if it is appropriate and proportionate to do so.
This is also the case where a NIS incident affects an OES. If that incident is also a personal data breach, or leads to a personal data breach, then the ICO has a regulatory function.
In more detail – ICO guidance
The ICO’s Regulatory Action Policy outlines our targeted, risk-driven approach to regulatory action. You can read the Regulatory Action Policy (PDF) here.