The Network and Information System Directive 2016 aims to improve EU wide cyber security and has the following objectives:
- Improved cybersecurity capabilities at national level
- Increased EU level cooperation
- Risk management and incident reporting obligations for operators of essential services (OES) and digital service providers (DSP)
The Directive includes national supervision of critical sectors covering essential services OES and DSPs which includes:
- Software-as-a-Service (SaaS) providers: only to the extent that they provide a scalable and elastic pool of resources to the customer;
- Platform-as-a-Service (PaaS) providers (including online marketplace); and
- Infrastructure-as-a-Service (IaaS) providers.
UK implementation of the NIS Directive
In the UK the NIS Directive has been implemented as the NIS Regulation 2018 and it includes an exemption for smaller businesses. They are defined as those:
- employing less than 50 staff, and
- with a turnover of less than 10 million euros per year or
- with a balance sheet of less than 10 million euros per year
The NIS Regulation requires DSPs that do not meet the smaller business exemption to register with the Information Commissioner’s Office (no fee is payable).
Where a UK business offers services in the EU it will need a Representative in the EU from 1 January 2021.
What are the requirements for DSPs?
Take appropriate security measures similar to ISO27001 to cover:
- preventing risks, with technical and organisational measures that are appropriate and proportionate to the risk
- ensure network and information system security with measures to ensure this is appropriate to the risk
- handle incidents with measures to prevent and minimise the impact of incidents on IT systems used to provide the services.
Report security incidents. The levels are not defined but should be based on these parameters:
- number of users affected
- duration of incident
- geographic spread
- the extent of disruption of the service
- the impact on economic and societal activities.
In summary, check whether your organisation meets the criteria for a Digital Service Provider and if so, check whether it falls within the smaller business exemption. If the UK’s NIS Regulation does apply, then register with the ICO and make sure that security measures take account of risk and factor in the incident reporting parameters to the organisation’s Mandatory Security Breach Reporting policy and procedures.