Data Protection Report - Norton Rose Fulbright

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.

The NIS Regulations serve a number of purposes, including the development of the UK’s national framework and strategy relating to network security. The NIS Regulations also impose new obligations on operators of “essential services” and digital service providers in relation to the security of their network and information systems. Companies that fall within the scope of the NIS Regulations should be aware of these obligations and how they can be satisfied, particularly given that the NIS Regulations introduce a stringent penalties regime for non-compliance.

Key obligations on operators of essential services

Under the NIS Regulations, entities meeting certain threshold conditions in the energy, transport, healthcare, utilities and digital infrastructure sectors will be considered to be operators of essential services. Competent Authorities also have discretion to deem a particular organisation to be an operator of essential services even if these threshold conditions are not met.

Providers of essential services are required to take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential services rely. These measures should have regard to the state of the art and ensure a level of security appropriate to the risk posed. A corresponding obligation to take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of these network and information systems is also imposed – such measures should be implemented with a view to ensuring the continuity of those services.

Providers of essential services must also notify their designated “Competent Authority” within 72 hours about any incident which has a significant impact on the continuity of the essential services that they provide. The relevant “Competent Authority” depends on the sector in which the provider of essential services is operating. Such “incidents” may include cyber-attacks, power outages, system malfunctions and hardware failures. In determining whether an incident has a significant impact, an operator should take into account criteria such as the number of users affected by the disruption, the duration of the incident, and the area affected by the incident.

Key obligations on digital service providers

The NIS Regulations impose similar obligations on digital service providers that provide online marketplaces, search engines or cloud computing services in the UK.

Such service providers are required to identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which they rely. An obligation is also imposed to notify the Information Commissioner (as their Competent Authority) about any incident which would have a substantial impact on the provision of these services.

Penalties for non-compliance

Penalties for non-compliance with the NIS Regulations are potentially severe, with fines of up to £17 million permitted in some circumstances.

Pan-EU perspective

The NIS Regulations reflect the UK’s implementation of the EU NIS Directive, which is being or has been implemented into the law of all other EU member states by way national legislation.

There will inevitably be some variation in the way in which the Directive is implemented in each EU member state. Of particular note is that in some member states, the national legislation may extend the concept of “operators of essential services” to other sectors of societal importance, such as financial services.

It is therefore important that a broad range of organisations operating in Europe consider whether they may be caught within the scope of national legislation implementing the NIS Directive – in all of the EU member states in which they operate.



*Many thanks to Juliet Gordon for her assistance in preparing this content