The NIS Directive is an EU Directive that was enacted into UK law as The Network and Information Systems Regulations 2018 (NIS Regulation). The NIS focusses on the security of network and information systems and the digital data within them. This is the first piece of EU wide cyber security legislation and aims to create a higher common level of network and information system security across the EU’s critical infrastructure.
NIS & GDPR
The NIS came into force in May 2018, at the same time as the GDPR, but they are distinctly different. The key difference is that the GDPR affects the processing of personal dataInformation which relates to an identified or identifiable natural person. and the NIS concerns the security of network and information systems. Another dissimilarity is that GDPR applies to all organisations processing personal data and NIS applies to specific sectors and organisation sizes.
Who does the NIS apply to?
Each member state is responsible for defining the types of organisations that fall under the NIS, in the UK the NIS applies to:
Operators of Essential Services (OES):
-
- include health, transport, energy etc.
- are regulated by the National Cyber Security Centre (NCSC)
- need to register with their regulator (competent authority) – regulators are assigned on a sectoral basis
- are subject to stricter security requirements than Digital Service Providers (DSPs) because of the higher risks they face and the potential severe consequences that service interruptions could cause
Digital Service Providers (DSPs):
-
- include search engines, online marketplaces & cloud computing services.
- do not all have to comply with the NIS as there are exemptions for small organisations. Only Relevant Digital Service Providers (RDSPs) need to comply with the NIS Regulation.
You are a RDSP if you:
-
- are an online search engine, an online marketplace or a cloud computing service;
- have your head office in the UK, or have nominated a UK representative; and
- have more than 50 staff and a turnover or balance sheet of more than €10 million
- in the UK Digital Service Providers are regulated by The Information Commissioner’s Office (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.). The ICO is also the enforcement body for the GDPR
- if you are a Relevant Digital Service Provider, you should register with the ICO. Unlike for the GDPR, you do not need to pay a fee when registering as a RDSP
Responsibilities for organisations under the NIS
OES and DSPs each have a different set of rules to adhere to however they both need to:
-
- take appropriate technical and organisational measures to secure their network and information systems
- account for the latest developments and consider the potential risks facing their systems;
- take appropriate measures to prevent and minimise the impact of security incidents and to ensure service continuity; and
- notify the relevant supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. of any security incident that has a significant impact on service continuity
Representation requirements
Under the NIS, organisations who operate in the UK but don’t have a head office located within the United Kingdom will need to appoint a representative.
The representative becomes the single point of contact for enforcement bodies and will:
-
- liaise with the relevant authorities in other Member States, the NIS Cooperation Group and the CSIRTs Network to ensure cross-border co-operation;
- consult and co-operate, as it considers appropriate, with relevant law-enforcement authorities; and
- co-operate with the NIS enforcement authorities to enable the enforcement authorities to fulfil their obligations under these Regulations
The single point of contact will also submit reports to:
-
- the Cooperation Group based on the incident reports it received under regulation 11(9) and 12(15), including the number of notifications and the nature of notified incidents
- the Commission, identifying the number of operators of essential services for each subsector listed in Schedule 2, indicating their importance in relation to that sector
What about Brexit?
Global digital businesses that are neither based in the EU or the UK but offer services in both markets should appoint two representatives under the NIS following Brexit — one in a relevant EU Member State and one in the UK.
DPO Centre Representation Services
The DPO Centre provides EU & UK Representative Services to qualifying NIS organisations who do not have a physical presence in the UK or Europe but need to comply with the NIS Directive. With offices in both Europe and the UK we can provide full NIS Representative Services from any member state to ensure full compliance.
Please contact us for more information