Network and Information Systems Regulations 2018: What you need to know

According to the Cyber Security Breaches Survey 2017, medium businesses in the UK spent, on average, £3,070 last year resolving cyber security breaches. This figure rises to a staggering £19,600 for large businesses. These figures highlight the importance of investing in digital safeguards.

To try and address this ever-growing issue and improve the security of network and information systems, the EU introduced the 'NIS Directive' in August 2016. Implementing the Directive into UK law is the Network and Information Systems (NIS) Regulations 2018 (NISR), which is now in force.

Does NISR apply to my business?

There are two types of organisation to which NISR applies; operators of essential services (OES) and relevant digital service providers (RDSP).

An OES includes any organisation which carries out a service in one or more of the following sectors:

  • Energy (electricity, oil or gas)
  • Transport (air, rail, water or road)
  • Health (any healthcare organisation, including hospitals, private clinics and online providers)
  • Drinking water (supply or distribution)
  • Digital infrastructure (domain name system service providers, top-level domain name registries, internet exchange point operators).

and in each case whether the organisation meets the required thresholds (usually only large businesses will fall into this category but competent authorities do have autonomy to classify smaller businesses as OES').

An RDSP is any provider of an online market place (excluding those who sell directly to consumers, i.e. online retailers), online search engine or cloud computer system, with their head office in the UK (or a nominated representative established in the UK). Micro and small enterprises are excluded (that is, enterprises employing fewer than 50 individuals and with an annual turnover and/or annual balance sheet not exceeding €10 million). In order to qualify as an RDSP, digital services must be provided to external customers and not just maintained internally.

RDSPs are captured by the definition of a "cloud computing service provider" if they provide digital services enabling access to a scalable and elastic pool of computing resources. According to the ICO guidance, if you provide 'Platform as a Service' (PaaS) or 'Infrastructure as a Service' (IaaS) solutions then the NISR applies to you. If you are a 'Software as a Service' provider, you are also included to the extent that your service is scalable and elastic and you act in a business-to-business capacity. This potentially significantly expands the range of cloud-based services that are captured by the NISR.

What do I need to do to comply?

If you are an OES, you are required to take appropriate, proportionate technical and organisational measures to manage any risks to the security of your network and information systems on which your essential service relies (taking into account the state of the art of your systems). OES' must also implement measures to prevent and minimise the impact of any incidents which do occur. OES' must report any significant incident affecting their systems to the relevant authority (this depends on the sector the business is in) and report any incident affecting an RDSP which their essential service depends on. You should check the guidance published by the relevant authority for the sector your business operates in to assess the compliance requirements for that sector.

Similarly, RDSPs need to take measures to manage risks to systems and prevent and minimise the impact of incidents. The competent authority for all RDSPs in the UK is the Information Commissioner's Office (ICO). Records must be kept to demonstrate compliance with these requirements and can be requested by the ICO at any time. For any incidents that have a substantial impact on services, the ICO should be notified within 72 hours of becoming aware.

RDSPs must also register with the ICO.

The National Cyber Security Centre (NCSC) suggests that all affected businesses should define a set of principles to guide decision-making in order steer company personnel towards compliance with NISR.

What will compliance cost?

The UK government has published an impact assessment on the NISR which states that "those [businesses] who already take cyber security seriously will face lower compliance costs as they should already have many of the requirements in place".

The impact assessment considers that the main costs to businesses will be familiarisation costs, competent authority costs (which are being passed down to businesses), additional security spending and administrative costs associated with reporting incidents and providing evidence of security, risk assessments or audits.

The government estimates that familiarisation alone will require each business to seek 12 hours of assistance from a lawyer to advise on the legislation and the requirements. This includes familiarisation with guidance documents that are being provided by the government, for example, security principles and guidelines. The government further estimates that, for every hour a lawyer spends, senior managers or directors will need half an hour to digest that advice and identify how their business will comply.

What are the implications for non-compliance?

For contravention of the NISR, designated competent authorities can utilise a number of powers. These include issuing information notices, carrying out inspections (at the OES/RDSPs cost) or serving enforcement notices for failure to follow requirements.

In addition, authorities may impose considerable financial penalties ranging from up to £1 million to up to £17 million, depending on the severity of the breach.

Key points:

  • For OES', check the specific compliance requirements set out by your relevant competent authority (these are sector specific)
  • RDSPs must register with the ICO
  • If an RDSP suffers an incident that has a substantial impact on its service, it must notify the ICO within 72 hours of becoming aware of it.

For more information, please contact Tom Torkar.