Network information systems regulations 2018: One week for relevant digital service providers to register with the ICO
The use, processing and security of data is an increasingly regulated area of law in Europe.
A recent addition to the body of regulation is the UK Network Information Systems Regulations 2018 (“NIS Regulations”), implementing the EU Network and Information Security Directive 2016/1148 (“NIS Directive”). For businesses which are “relevant digital services providers”, there is now one week remaining to register with the Information Commissioner’s Office under the NIS Regulations, as the deadline for registration was 1 November 2018.
This note deals with:
a) what constitutes a relevant digital services provider (“RDSP”); and
b) the actions RDSPs should consider to ensure compliance.
The NIS Regulations also cover “operators of essential services” and businesses should assess whether they may fall into this category; however, in this article we assess how the Regulations apply to RDSPs.
What do the NIS Regulations do?
The Regulations address the security of network and information systems and the digital data they process. They establish up a national framework to regulate cyber-security and require applicable organisations to maintain certain security measures, register with the relevant authority and report significant cyber incidents.
What is a relevant digital service provider?
A RDSP is a person that provides a digital service to external customers in the UK and satisfies a number of conditions.
To break this down:
- A digital service is a service that is an online marketplace, online search engine, or cloud computing service.
- An online marketplace is a digital service allowing for online sales or service contracts where the buyer or seller is a person or company acting in the course of their business.
- An online search engine is a service allowing users to search websites by inputting a keyword or phrase and returning relevant links in which the requested content can be found.
- A cloud computing service is a scalable and elastic pool of shareable computing resources. It includes ‘Platform as a Service’, ‘Infrastructure as a Service’ and ‘Software as a Service’ solutions. In the case of SaaS – these services must also be scalable and elastic, and 'business-to-business’.
- A Relevant provider of digital services is one that has its head office or nominated representative “established” in the UK and employs more than 250 persons with annual turnover and/or balance sheet total exceeding €10 million.
Under the NIS Directive, if a business meeting the size threshold operates within the EU without a head office or nominated representative in any Member State, it will need to establish a representative in a Member State in which it provides services.
What are the obligations under the NIS?
The following obligations apply to RDSPs:
a) Register with the Information Commissioner’s Office (“ICO”);
b) Take appropriate and proportionate measures to manage the risk posed to the security of the network and information systems on which it relies.
c) Notify the ICO of any incident that has a substantial impact on the continuity or provision of its services.
What are the penalties for non-compliance?
The UK regulator (the ICO) has a range of enforcement powers, including the power to carry out inspections and to issue monetary penalties for non-compliance of up to £17 million for the most serious infringements. This is in addition to any fines issued under the GDPR.
To the extent they haven’t already done so, relevant businesses should immediately consider whether they might satisfy the conditions to be an RDSP and, if so, whether they are required to register in the UK. Whilst the NIS Regulations entered into force on 10 May 2018, the deadline for registration with the ICO for RDSPs was 1 November 2018. If a business becomes a RDSP after 1 November 2018, it will have 2 months to register after the date it becomes a RDSP.
Furthermore, businesses may wish to further consider their security measures and incident reporting procedures.
This article was updated 29 November 2018.
If you have any questions regarding the applicability of the NIS Regulations to your business, or the measures required to ensure compliance, please contact Jonathan McDonald.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
Data Protection: All roads lead back to the GDPR
Across the globe, jurisdictions continue to develop their data protection and privacy laws.
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.