The UK Government has published its response to its consultation paper, Security of Network and Information Systems targeted consultation on Digital Service Providers of April 2018. The consultation focuses on the application of the Security of Network and Information Systems Directive (NISD) to Digital Service Providers (DSPs) in the UK. As the Network and Information System Regulations 2018 (the NIS Regulations) are now in effect, the response to the consultation will be used to assist the Information Commissioner’s Office (ICO) in updating its guidance to DSPs.
The NISD is the first EU wide legislation on cyber security. It focuses primarily on regulating so-called operators of essential services (transport, energy, banking, healthcare) and providers of digital services (cloud services, online marketplaces, and search engines). Disruption to these services could have a detrimental impact on the economy and/or society at large; and so it is hoped that the NISD will ensure that these organisations are prepared to deal with the increasing number of cyber threats.
The consultation focused on three key areas: identification of DSPs, security measures and further guidance. There were 12 responses to the consultation, most of which were in favour of the Government's overall approach towards DSPs. However, there were concerns in relation to two key issues: 1) the scope of NISD; and 2) the subject of cost recovery.
UK Government's response to the Consultation
Identification of Digital Service Providers
The main concern of respondents here was the application of NISD to 'cloud service providers' and how 'cloud service provider' should be defined. The Government stressed that the language in the NIS Regulations, including the legal definition of a DSP, should reflect the language of NISD. To ensure consistency with NISD, it believes that DSPs should not be interpreted to include all online activity, or all activity that could potentially be classed as ‘software as a service’. Accordingly, it considers that cloud services should be limited to public cloud services, and should not include hybrid, private or community cloud services.
A further issue concerned the definition of 'scalable and elastic' in relation to cloud computing services. The Government said that this means "computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand (scaleable) and computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload (elastic)". This largely follows the definition in Recital 17 of NISD.
There was also a focus on the definition of 'online marketplaces'. The Government said that the service must be a “genuine marketplace for goods or services and not an online retailer”. Where a DSP offers both, then NISD will still cover the online marketplace services.
Other factors to bear in mind when considering whether the NIS Regulations apply include: how a purchaser purchases a product, where the purchase and transaction take place and the size of the DSP.
Nearly three quarters of the respondents said that they understood the security requirements in NISD, but a number of respondents raised concerns about inconsistency in implementation requirements across Europe.
The Government stresses the need for the UK to implement security and incident reporting measures that are consistent with the Commission’s Implementing Regulation as any differences could bring about an "unwelcome burden" on business. To avoid this, the Government has recommended to the ICO that it advise DSPs to follow the European Network and Information Systems Agency technical guidelines.
Respondents sought further guidance on a number of areas including how DSPs could effectively calculate many of the incident reporting parameters; how the ICO intends to recover costs and the potential amount of fees; and how the penalty and appeal regime will work.
In its response the Government notes that the security and incident reporting requirements for DSPs are set out in Regulation 12 of the NIS Regulations. Under Regulation 12 of the NIS Regulations, DSPs are required to take into account the following security measures:
- the security of their systems and facilities;
- incident handling processes and procedures;
- business continuity management;
- monitoring, auditing and testing; and
- compliance with international standards.
Many of these security measures align with the security provisions set out in the General Data Protection Regulation (GDPR).
Failure to comply with the NIS Regulations will have significant implications and the ICO has a range of enforcement powers that it can use, including:
- issuing notices for further information;
- issuing enforcement notes that require a DSP to take, or refrain from taking, particular steps or actions;
- issuing monetary penalties for material contraventions, up to a maximum of £17 million in the most serious cases; and
- inspecting DSPs.
What can we expect next?
The Government will work with the ICO to update its guidance. It is not clear when this will be other than that it will be updated “as soon as is feasible”. The Government has also confirmed that these policy provisions will continue to apply in the UK after its exit from the EU. As cyber risk is such an international issue, there are clear mutual benefits in the setting of minimum cyber security standards and planning requirements.