The Network and Information Systems Regulations 2018 (NIS Regulations) implement EU Directive 2016/1148. The aim of the directive was to harmonise the protection of information systems infrastructure across the EU and increase cross-border co-operation between EU Member States.
In a nutshell, the regulations serve to limit the impact of network and information systems failures for the purpose of ensuring business and public service continuity. They cover the systems’ physical and cyber resilience, as well as incident reporting for the operators of essential services (energy, water, etc.) and certain categories of digital service providers.
This article will focus on identifying relevant digital service providers and whether the NIS Regulations apply to your business.
Firstly, what is a digital service?
Section 1(2) of the NIS Regulations defines a digital service provider as anyone who provides any of the following digital services:
(a) an online marketplace;
(b) an online search engine; or
(c) cloud computing service.
These services must be provided at a distance, by electronic means and by the transmission of data on individual request of the recipient of the services. Services relying on electronic equipment, but that are performed in the physical presence of both the recipient/client and the service provider (for example, an individual purchasing a plane ticket in a travel agency), are beyond the scope of the NIS Regulations. Things like television and radio broadcasting are also excluded, as these are not supplied “at the individual request of a recipient of the services”.
Considering whether your services fall within the scope of the digital services described above is complex. If you are in any doubt, you should seek advice on this assessment.
The providers of digital services will only be within scope of the NIS Regulations if they are a Relevant Digital Service Providers (RDSPs).
Who is a Relevant Digital Service Provider?
A RDSP is defined in the NIS Regulations as a person who provides a digital service in the United Kingdom and satisfies the following conditions—
(i) the head office for that provider is in the United Kingdom (or that provider has nominated a representative who is established in the United Kingdom); and
(ii) the provider is not a micro or small enterprise.
Size and Turnover Requirements
If you are a small (turnover under £10million and fewer than 50 people) or micro business (turnover under £2million and fewer than 10 people) you do not need to worry about compliance with NIS Regulations.
You should, however, consider your obligations under the General Data Protection Regulation (GDPR) and your compliance with the same – including in respect of the technical and organisational measures you have in place to ensure that the data you process is safeguarded. Compliance with the GDPR is mandatory for any organisation that processes personal data (i.e. all businesses).
If your business exceeds the minimum size and turnover requirements, you should consider the territorial requirements.
If you provide a digital service and your head office is in the UK, or your business has a nominated representative in the UK, the NIS Regulations may apply to you if you satisfy the other criteria.
If you are not based in the UK, or do not have a nominated representative in the UK, but satisfy either of these requirements in respect of another Member State, you should take legal advice on the relevant implementation legislation in that Member State.
What do you need to do if the NIS Regulations apply to you?
The NIS Regulations require that businesses undertake a self-assessment to identify whether they are a RDSP and the regulations apply to them. If you consider that they may apply to you, you should seek legal advice to confirm that assessment.
If the NIS Regulations do apply to you, you must register with the ICO as a RDSP. You should do so within three months of satisfying the criteria set out above.
Who enforces the NIS Regulations and what are the fines?
The NIS Regulations are enforced by the Information Commissioner’s Office, the same body that enforces compliance with the GDPR and the Data Protection Act 2018.
In respect of NIS Regulations, the ICO can inspect or appoint third party inspectors where they believe there has been non-compliance.
Where an enforcement notice from the ICO has not been complied with, they may issue a fine (subject to proportionality and appropriateness requirements). The UK has devised a four-tiered fine system, depending on the severity of the potential impact of the RDSP’s infringement. The highest possible fine is £17million in the most extreme circumstances where the ICO considers that there is a material contravention of the NIS Regulations which has or could cause an incident resulting in an immediate threat to life of significant adverse impact on the UK economy. The RDSP concerned may also be liable for paying the ICO’s reasonable costs for performing its NIS enforcement functions.
If you are a RDSP, you must:
- Be registered with the ICO; and
- have policies and procedures in place to ensure that you meet the obligations imposed upon you by the NIS Regulations and related guidance.
As mentioned above, the NIS Regulations are closely related to the GDPR. If you are compliant with the GDPR, you have a robust starting point for ensuring your compliance with NIS Regulations but compliance with one does not guarantee compliance with the other. You should seek legal advice on the preparation and implementation of any additional policies you may require.