An update on “NIS What?” by Rebecca Andersen. The below article was first published in Utilities Law Review, Volume 22, Issue 6, June 2020.

In 2016, the European Parliament adopted the Network and Information Systems Directive (often referred to as the ‘Cybersecurity Directive’) (‘the Directive’). The Directive’s primary aim is to improve the security and continuity of critical infrastructure and essential services that rely on network and information systems (that is, networks, devices and digital information), in order to prevent the type of disruption caused by the 2017 Wannacry ransomware attack (which in the United Kingdom alone affected almost half of all NHS Trusts and infected all sorts of administrative as well as diagnostic and treatment equipment), the 2016 attacks on US water utilities and the 2015 attack on the Ukrainian electricity network.

As is usual for EU directives, EU Member States were required to implement the Directive into their respective national laws. The United Kingdom did this through the Network and Information Systems Regulations 2018 (‘the Regulations’), which came into effect on 10 May 2018. (All EU Member States should have their own equivalent, very similar, national rules.)

However, despite having been in effect for some considerable time now, there is still a widespread lack of awareness of the Regulations and their effect. This is not surprising – the Regulations have a relatively narrow scope and came into effect when most organisations were in the throes of preparing for the EU General Protection Regulation (2016/679) (GDPR). Nonetheless, there are potentially significant consequences for non-compliance with the Regulations; and the UK Government has made it clear that they will continue to apply post-Brexit and, as GDPR compliance regimes become more established, organisations (and regulators) are better able to turn their attention to other issues, including the Regulations.

So, for those not too (or not at all) familiar with the Regulations, these are the key take-aways.

Application

The Regulations have the same primary aim as the Directive – to improve the security and continuity of critical infrastructure and essential services that rely on network and information systems. So they apply to core organisations and services which, if disrupted, could result in significant damage to the economy, individual welfare and/or society more generally.

Specifically, they apply to ‘operators of essential services’ and ‘relevant digital service providers’.

Operators of essential services (‘OESs’)

These are persons that:

• provide, or are otherwise involved with, services critical for society at large and the economy (such as drinking water supply, gas and electricity supplies, airport operation, NHS Trusts and Foundations, and top level domain name registries) in the United Kingdom;
• are reliant on network and information systems; and
• satisfy certain thresholds (which are detailed in the Regulations and designed to ensure that the focus is on the most significant suppliers).

They also include persons that may not satisfy the applicable thresholds but that the relevant competent authority nonetheless designates (after following a specified process) as an OES.

Relevant digital service providers (‘RDSPs’)

Subject to a few exceptions, these are persons that provide online marketplaces, online search engines and/or cloud computing services (which are all defined in the Regulations) (‘digital service providers’) in the United Kingdom and that have their head office or a nominated representative in the United Kingdom.

OESs are relatively straightforward to identify using the applicable descriptions and criteria under the Regulations.

RDSPs are defined by less clear descriptions and criteria which follow the more conceptual approach of the Directive, and the UK Government acknowledged during its consultation prior to implementing the Regulations that defining the RDSPs was a ‘challenge’. In truth, this is not too much of an issue for RDSPs providing online marketplaces and online search engines. However, it means that it is particularly tricky to identify RDSPs providing a cloud computing service – ‘a digital service that enables access to a scalable and elastic pool of shareable computing resources’. On the face of it, this covers many ‘as-a-service’ offerings (which the UK Government has confirmed will include Infrastructure-as-a-Service, Platform-as-a-Service and some Software-as-a-Service) and many are concerned that more cloud computing service providers (particularly Software-as-a-Service providers) are caught by the Regulations than

Subject to a few exceptions, these are persons that provide online marketplaces, online search engines and/or cloud computing services (which are all defined in the Regulations) (‘digital service providers’) in the United Kingdom and that have their head office or a nominated representative in the United Kingdom.

OESs are relatively straightforward to identify using the applicable descriptions and criteria under the Regulations.

RDSPs are defined by less clear descriptions and criteria which follow the more conceptual approach of the Directive, and the UK Government acknowledged during its consultation prior to implementing the Regulations that defining the RDSPs was a ‘challenge’. In truth, this is not too much of an issue for RDSPs providing online marketplaces and online search engines. However, it means that it is particularly tricky to identify RDSPs providing a cloud computing service – ‘a digital service that enables access to a scalable and elastic pool of shareable computing resources’. On the face of it, this covers many ‘as-a-service’ offerings (which the UK Government has confirmed will include Infrastructure-as-a-Service, Platform-as-a-Service and some Software-as-a-Service) and many are concerned that more cloud computing service providers (particularly Software-as-a-Service providers) are caught by the Regulations than were originally intended. Indeed, the UK Information Commissioner’s Office (‘the ICO’, and competent authority for RDSPs, on which see below) has already indicated that it will adopt a somewhat broad interpretation. It suggests, for instance, in its guidance that ‘cloud brokers’ who do not necessarily own or operate the cloud computing service(s) could be RDSPs. It remains to be seen how the Regulations will be applied in practice and/or what any further guidance says for greater certainty on this.

Registration

Both OESs and RDSPs must register with their ‘competent authority’.

A competent authority is, essentially, the regulator for the Regulations and is responsible for ensuring that the Regulations are complied with. Their responsibilities include reviewing application of the Regulations, developing guidance, keeping necessary registers and liaising with other competent authorities. They have a range of powers (many of which are in common with the GDPR), including the ability to issue information notices, rights to inspect (or require that inspections are carried out), the ability to issue enforcement notices requiring remedial action to be taken and fining powers.

Under the Regulations, there are multiple competent authorities in the United Kingdom.

• For an OES, their competent authority depends on the sector and territory in which they operate (for example, the Secretary for State for Health for a healthcare OES in England and the Welsh Ministers for a healthcare OES in Wales).
• For an RDSP, their competent authority is the ICO.

Existing OESs and RDSPs should have registered with their competent authority by 10 August 2018 and 1 November 2018 respectively. Any person that subsequently becomes an OES or RDSP should register with their competent authority within three months after it does so.

Organisations operating in the sector(s) and providing any service(s) of the type(s) covered by the Regulations need to assess whether the Regulations apply to them and, if so, register with their competent authority. Some organisations may be hesitant to register, on the basis that it will put them on their competent authority’s ‘radar’ and so expose them to potentially greater scrutiny. However, often it will be obvious if an organisation is an OES or RDSP and so should have registered. The Regulations will apply regardless of whether an organisation is registered, and there are potential reputational and other implications of being exposed as non-compliant with the law, so it will be in most OESs’ and RDSPs’ interests to register.

New security and notification requirements

At a high level, the Regulations require OESs and RDSPs to:

• comply with additional security requirements to protect against risks to and minimise incidents in respect of network and information systems used to provide the relevant service(s); and
• notify their competent authorities of certain incidents that impact those service(s).

The specific requirements vary slightly for OESs and RDSPs, and are generally not as stringent for RDSPs. In brief, the security measures that both OESs and RDSPs take must be appropriate and proportionate and, in the case of OESs, expressly include technical and organisational measures. These measures must have regard to the state of the art and ensure a level of security of network and information systems appropriate to the risk posed. In addition:

• OESs must adhere to 14 high level outcome-based security principles set by the National Cyber Security Centre (‘the NCSC’), and any further guidance issued by their competent authority; and
• RDSPs should have regard to certain additional elements to be taken into account by digital service providers as set out in EU Regulation 2018/151 (issued on 30 January 2018 to accompany the Directive) (‘the Accompanying Regulation’) and separate ICO guidance.

OESs must notify their competent authority of incidents having a significant impact on the continuity of the essential service(s) that the OES provides. The significance of the impact of an incident is determined by reference to certain factors specified in the Regulation (for example, the number of users affected, and the duration of the incident).

RDSPs must notify the ICO of incidents having a substantial impact on the provision of the relevant service(s) that they provide (if they have access to information that enables them to assess that the impact of the incident is substantial). The substantiality of the impact of an incident is determined by reference to certain parameters and situations specified in the Accompanying Regulation (for example, factors similar to those to be taken into account by OESs, the extent of the impact on economic and societal activities and whether the incident has created a risk to public safety, public security or loss of life).

Further, an OES that uses an RDSP to provide its essential service(s) must also notify its competent authority if an incident affecting the RDSP has a significant impact on the continuity of the OES’s essential service(s) (as well as the RDSP notifying the ICO if the incident has a substantial impact on the provision of the RDSP’s relevant service(s)).

In all cases, OESs and RDSPs must provide certain information specified in the Regulations in their notice to its competent authority, and provide their notice ‘without undue delay’ and within 72 hours of becoming aware of the incident.

Following notification, the incident information will be shared with the NCSC and affected EU Member States and, potentially, the public may be informed.

Many of these requirements and processes are, at first glance, very similar to those of the GDPR. However, a GDPR compliant security and incident reporting regime will not necessarily be compliant with the Regulations. The Regulations have a different focus (network and information systems, not personal data) and apply different requirements (for example, an OES or RDSP cannot take account of the cost of implementation when assessing the security measures they must implement, as they may do under the GDPR). Further, the very nature of the relevant service(s) arguably requires a more robust regime because of the potentially more significant impact of incidents on the economy, individual welfare or society more generally.

Fines of up to £17 million

Competent authorities can fine OESs and RDSPs for certain non-compliances with the Regulations if, having been issued with an enforcement notice, the OES or RDSP either does not take any, or adequate, steps to rectify the non­compliance (if the competent authority has required the OES or RDSP to do so) or the competent authority is not satisfied with the OES’s or RDSP’s representations in respect of the notice (if the competent authority did not require the OES or RDSP to take steps to rectify the non­compliance). Relevant non-compliances include failure to comply with the requirements in respect of security measures, to notify incidents, to comply with information notices and to carry out an inspection directed by a competent authority.

As under the GDPR, these fines can be up to £17 million. However, unlike the GDPR, they are tiered based on the materiality and effect of the non-compliance.

• The highest level of fine is up to £17 million, but is reserved for material non-compliances that result in an immediate threat to life or significant adverse effect on the economy. This is a high threshold, so we may not often see fines of this magnitude.
• Fines of up to £8.5 million and £3.5 million can be applied for material non-compliances that result in service disruption or service reduction (respectively) that last a significant period of time. We await guidance as to what constitutes a ‘significant period’ but, due to the lower threshold, we expect to see more fines within these significantly lower (but still substantial) ranges.
• Fines of up to £1 million can be applied for non-compliances that do not result in an incident affecting network and information systems. This lowest level of fine reflects the likely lower severity and impact of such non-compliances.

Significantly, fines under the Regulations are in addition to fines under the GDPR. This means that, if a single event results in a breach of the Regulations and of the GDPR (for example, a security failure), an OES or RDSP could be fined separately under both regimes. The ICO has said in

its guidance that it will work closely with other competent authorities and the NCSC to maintain a common approach, which may reduce the risk of multiple fines and/or significant fines under both regimes. However, the ICO and the relevant competent authority will be free to undertake their own responses to the event, and the UK Government has been very clear that multiple fines may be appropriate for the same event as they may relate to different aspects of wrongdoing and different effects.

Further, where an OES or RDSP is subject to an EU Member State’s equivalent national rules and an event also affects that EU Member State, the OES or RDSP may also be fined under that Member State’s equivalent national rules.

Brexit

The Regulations will apply despite the United Kingdom’s withdrawal from the EU.

During the transition period (currently until 11.00pm on 31 December 2020), the Regulations will continue in force as they are. However, certain aspects of the Regulations will fall away or be modified after that. These are mainly the EU-level cooperation obligations.

There are also some key changes for OESs and RDSPs.

UK-based RDSPs/digital service providers that offer any relevant service(s) to EU Member States but which do not currently have a head office or establishment in an EU Member State will now need to appoint a representative in an EU Member State. This should be an EU Member State into which it offers the relevant service(s).

Similarly, digital service providers that offer relevant service(s) in the United Kingdom but whose head office is outside the United Kingdom must appoint a UK representative who is able to act on its behalf and provide the representative’s details to the ICO (within three months of the end of the transition period or, if later, when the person first offers the relevant service(s) in the United Kingdom).

In both cases, this potentially opens the RDSP/digital service provider up to dual regulation (as an RDSP in the United Kingdom and a digital service provider in the EU Member State in which it appoints its representative). So if an RDSP/digital service provider has several options as to where to appoint its new EU representative, it may wish to carefully consider the applicable local regimes and select its new EU representative accordingly (particularly as, for instance, fining powers can vary significantly between EU Member States).