The NIS Directive was passed into EU law in 2016. It made its way into UK law as the Network and Information Systems Regulations 2018 two years later. Unlike with GDPR and the Data Protection Act 2018, many barely noticed the piece of legislation coming. Likely because outside of critical national infrastructure (CNI), essential services, and digital providers over a specific size, it had little impact on business.
Even if you’ve never heard of it, it’s worth learning about it as follow-up legislation to replace it has recently been adopted by the EU. We are likely to see equivalent changes make their way into UK law.
The Network and Information Systems Regulations 2018 (we’ll use NIS going forwards) are a set of regulations aimed at mitigating risks against critical systems and essential services. These include utilities or vital digital service providers such as banking and telecoms. They encompass cyber security but are not a cyber security law. Instead, they intend to address any disruptive incident affecting service. They explicitly include non-cyber incidents such as natural disasters and power outages.
One of the criticisms of NIS has been uncertainty around who is and is not in scope, so to make it clear you are in the scope of NIS if you are:
- an operator of an essential service (OES)
- a relevant digital service provider (RDSP)
Enforcement for OESs is performed by their relevant regulator acting as a competent authority. For RDSPs enforcement is performed by the ICO. Overall responsibility for NIS sits with the DCMS, assistance and advice from NCSC. Any OES should be well aware of their position as essential services are clearly defined (any services considered critical to the economy and broader society). However, the picture is less clear for RDSPs and is worth exploring.
As an RDSP, you fall under the scope of NIS if:
- you provide one or more of an online search engine, marketplace, or cloud computing service (which includes PaaS, IaaS, SaaS, and any other pool of shareable resources that is scalable, elastic, and provided to external customers)
- you have a head office or nominated representative in the UK
- you have more than 50 staff or a turnover/balance sheet over €10 million
If you are an RDSP, you must register with the ICO. However, suppose you have your head office in an EU state. In that case, you will be regulated by the relevant authority in that state. The ICO will cooperate with them as needed. The good news is that there is no fee to register as an RDSP, but you must do so within three months of meeting the definition.
Let’s look at what it means if you are in scope.
Those under the current regulation have several responsibilities and resources available to meet them. All EU states, and the UK, have a network of Computer Security Incident Response Teams (CSIRTs) who monitor incidents, share early warnings, and provide risk analysis. If you are within the scope of the regulations, then being in touch with your closest CSIRT is vital. National Competent Authorities (NCAs) are appointed for different sectors, often the relevant regulator for that sector, as it keeps things straightforward for registration. Finally, some Single Points of Contact (SPoCs) tie the networks together.
Beyond making contact with a CSIRT and their National Competent Authority, affected RDSPs must report incidents which cause a substantial impact on service provision. They must notify this ‘ without ‘undue delay’ and within no more than 72 hours where feasible. The ICO publishes these notification guidelines, and for OESs, different notification requirements may be published or provided by their NCAs.
Determining whether an incident has caused a ‘substantial’ impact is down to the organisation, and there are no guidelines available giving specific numbers. To help you decide, the ICO require you to take into account:
- How many users are impacted
- How long does the incident last
- The size of the affected geographic area
- How bad the incident is (i.e. 50% functionality)
- The economic and social impact of the incident
Further guidance on thresholds and considerations around these factors is available in the legislation. Anyone who may need to make this determination should spend some time looking through Article 3 and be familiar with the guidance.
Beyond notification, several other duties belong to RDSPs and OESs under NIS, which are the real meat of the regulations. You must place ‘appropriate and proportionate’ security if you fall within the scope. As with GDPR, defining what is appropriate and proportionate can be challenging for organisations, so it depends mainly on the risk and security management systems.
There are no strictly defined security controls with standards such as PCI-DSS or Cyber Essentials. Organisations must spend time building and understanding a profile of the risks faced and deciding on the controls given the threats, resources available, and potential impacts. Building and understanding risks are one of the most challenging aspects for many organisations. If these systems are not already in place, expert help may be required.
Written by James Bore on behalf of Samurai Digital Security.
Edited by Dr David Day.