Network and Information System Directive and UK Regulation

The Network and Information System Directive 2016 aims to improve EU wide cyber security and has the following objectives:

Improved cybersecurity capabilities at national level
Increased EU level cooperation
Risk management and incident reporting obligations for operators of essential services (OES) and digital service providers (DSP)

The Directive includes national supervision of critical sectors covering essential services OES and DSPs which includes:

Software-as-a-Service (SaaS) providers: only to the extent that they provide a scalable and elastic pool of resources to the customer;
Platform-as-a-Service (PaaS) providers (including online marketplace); and
Infrastructure-as-a-Service (IaaS) providers.

UK implementation of the NIS Directive

In the UK the NIS Directive has been implemented as the NIS Regulation 2018 and it includes an exemption for smaller businesses. They are defined as those:

employing less than 50 staff, and
with a turnover of less than 10 million euros per year or
with a balance sheet of less than 10 million euros per year

The NIS Regulation requires DSPs that do not meet the smaller business exemption to register with the Information Commissioner’s Office (no fee is payable).

Where a UK business offers services in the EU it will need a Representative in the EU from 1 January 2021.

What are the requirements for DSPs?

Take appropriate security measures similar to ISO27001 to cover:

preventing risks, with technical and organisational measures that are appropriate and proportionate to the risk
ensure network and information system security with measures to ensure this is appropriate to the risk
handle incidents with measures to prevent and minimise the impact of incidents on IT systems used to provide the services.

Report security incidents. The levels are not defined but should be based on these parameters:

number of users affected
duration of incident
geographic spread
the extent of disruption of the service
the impact on economic and societal activities.

In summary, check whether your organisation meets the criteria for a Digital Service Provider and if so, check whether it falls within the smaller business exemption. If the UK’s NIS Regulation does apply, then register with the ICO and make sure that security measures take account of risk and factor in the incident reporting parameters to the organisation’s Mandatory Security Breach Reporting policy and procedures.

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

Network and Information System Directive and UK Regulation