Network information systems regulations 2018: One week for relevant digital service providers to register with the ICO
The use, processing and security of data is an increasingly regulated area of law in Europe.
A recent addition to the body of regulation is the UK Network Information Systems Regulations 2018 (“NIS Regulations”), implementing the EU Network and Information Security Directive 2016/1148 (“NIS Directive”). For businesses which are “relevant digital services providers”, there is now one week remaining to register with the Information Commissioner’s Office under the NIS Regulations, as the deadline for registration was 1 November 2018.
This note deals with:
a) what constitutes a relevant digital services provider (“RDSP”); and
b) the actions RDSPs should consider to ensure compliance.
The NIS Regulations also cover “operators of essential services” and businesses should assess whether they may fall into this category; however, in this article we assess how the Regulations apply to RDSPs.
What do the NIS Regulations do?
The Regulations address the security of network and information systems and the digital data they process. They establish up a national framework to regulate cyber-security and require applicable organisations to maintain certain security measures, register with the relevant authority and report significant cyber incidents.
What is a relevant digital service provider?
A RDSP is a person that provides a digital service to external customers in the UK and satisfies a number of conditions.
To break this down:
- A digital service is a service that is an online marketplace, online search engine, or cloud computing service.
- An online marketplace is a digital service allowing for online sales or service contracts where the buyer or seller is a person or company acting in the course of their business.
- An online search engine is a service allowing users to search websites by inputting a keyword or phrase and returning relevant links in which the requested content can be found.
- A cloud computing service is a scalable and elastic pool of shareable computing resources. It includes ‘Platform as a Service’, ‘Infrastructure as a Service’ and ‘Software as a Service’ solutions. In the case of SaaS – these services must also be scalable and elastic, and 'business-to-business’.
- A Relevant provider of digital services is one that has its head office or nominated representative “established” in the UK and employs more than 250 persons with annual turnover and/or balance sheet total exceeding €10 million.
Under the NIS Directive, if a business meeting the size threshold operates within the EU without a head office or nominated representative in any Member State, it will need to establish a representative in a Member State in which it provides services.
What are the obligations under the NIS?
The following obligations apply to RDSPs:
a) Register with the Information Commissioner’s Office (“ICO”);
b) Take appropriate and proportionate measures to manage the risk posed to the security of the network and information systems on which it relies.
c) Notify the ICO of any incident that has a substantial impact on the continuity or provision of its services.
What are the penalties for non-compliance?
The UK regulator (the ICO) has a range of enforcement powers, including the power to carry out inspections and to issue monetary penalties for non-compliance of up to £17 million for the most serious infringements. This is in addition to any fines issued under the GDPR.
To the extent they haven’t already done so, relevant businesses should immediately consider whether they might satisfy the conditions to be an RDSP and, if so, whether they are required to register in the UK. Whilst the NIS Regulations entered into force on 10 May 2018, the deadline for registration with the ICO for RDSPs was 1 November 2018. If a business becomes a RDSP after 1 November 2018, it will have 2 months to register after the date it becomes a RDSP.
Furthermore, businesses may wish to further consider their security measures and incident reporting procedures.
This article was updated 29 November 2018.
If you have any questions regarding the applicability of the NIS Regulations to your business, or the measures required to ensure compliance, please contact Jonathan McDonald.