Is your business captured by the current or proposed changes to the NIS REGULATIONS?
Background
Cybersecurity has received a lot of attention in data protection circles for some time. The connection is obvious. Personal data is held in the cloud, on a network, in a system. It follows that an appropriate level of security is in place to prevent unauthorised access to personal data.
However, there is a law that receives far much less attention than GDPRs, that focuses purely on the security of networks and systems, period (i.e. the obligations apply irrespective of whether there is personal data held on those networks and systems). The Network and Information Systems Regulations 2018 (the “NIS Regs”) were introduced to improve the security of network and information systems by placing security related obligations on certain users and providers of networks and systems.
There are currently two specific groups to whom the NIS Regs apply:
(i) users of systems and networks that are critical to the provision of the certain essential services (e.g. utilities), (known in the NIS Regs as Operators of Essential Services (“OESs”)); and
(ii) providers of certain digital services, which if disrupted, could cause significant economic and social harm (known in the NIS Regs as Relevant Digital Service Providers (“RDSPs”)).
The rest of this blog is about RDSPs (although if you provide services to OESs or think you may be an OES, please do contact us here for further information).
Are you a Relevant Digital Service Provider?
If you provide any of the following services, you will be a Relevant Digital Service Provider,
(i) online marketplace services;
(ii) online search engines; and
(iii) cloud computing service.
BUT, if you fall beneath the threshold, you will be exempt from the rules applying. It is your responsibility to be aware of when you may pass the threshold as it will trigger the need to comply with the NIS Regs.
Even if you are a Relevant Digital Service Provider, are you exempt because you fall below the Threshold?
If you have fewer than 50 staff and an annual turnover and/or balance sheet below €10 million the NIS Regs will not apply to your business. However, if your business is part of a larger group, you need to include the staff and turnover size of the group when assessing whether this exemption applies.
Increased political focus on cybersecurity
In January 2022, the government issued its National Cyber Strategy and stated its intention to ensure that the UK continues to be a leading responsible and democratic superpower. As part of this policy, the government confirmed its commitment to improving the cyber resilience of businesses in the UK, recognising that “Reliance on IT is a part of everyday business life, and with that increased reliance on IT, failures of such have a bigger impact and can create more opportunities to compromise the running of businesses”.
Widening the NIS net – managed services
The proposed changes to the NIS Regs are currently at consultation stage. The biggest change suggested is the expansion of the RDSP category to include managed services to capture external B2B provision of regular and ongoing service management of data, IT infrastructure, IT networks and/or IT Systems, where provision relies on network and information systems. It can potentially extend to software engineering, business continuity and disaster recovery services and Business process outsourcing.
Will size matter?
Remember, there are currently thresholds within which businesses must fall before they are captured by the NIS Regulations. Interestingly, whilst the consultation suggests it is intended that the current threshold will be applied equally to managed service providers, it has questioned whether risk can be reconciled with the size of the digital service provider. It is also exploring the option of granting regulatory powers to a competent authority to designate powers to specific small and micro businesses to be brought within the scope.
What does it mean for your business if you are captured or may be captured in the future?
The NIS Regs impose obligations on those captured. These include registering with the ICO, taking appropriate and proportionate technical and organisational measures to manage risks to systems. Security measures must take into account security of systems and facilities, incident handling processes, business continuity management, monitoring, auditing and testing.
If you would like more information, please contact us to discuss or to request a copy of the guides we have produced below:
- Am I a Relevant Digital Service Provider for the purposes of the NIS Regulations?
- Relevant Digital Service Provider obligations under the NIS Regulations.
- Managed Services – looking ahead to the NIS Regulations
If you would like to discuss the proposed changes to NIS regulations or have any questions, please contact Tracey@law-point.co.uk or call 01202 729444.
