For businesses that provide access to cloud resources such as networks, servers, applications, and storage, to name a few, the NIS Regulations could potentially apply, and if they do, there are compliance requirements which should not be ignored. Changes to the NIS Regulations are afoot, and the NIS net is widening as the government continues its focus on managing the complexity of digital sector regulation.
Background
Cybersecurity has received much attention in data protection circles for some time. The connection is obvious: personal data is held in the cloud, network, or system. It follows that an appropriate level of security is in place to prevent unauthorised access to personal data.
The Network and Information Systems Regulations 2018 (the “NIS Regs”) were introduced to improve the security of network and information systems by placing security-related obligations on certain users and providers of networks and systems. The NIS Regs focus purely on the security of networks and systems, period (i.e. the obligations apply irrespective of whether there is personal data held on those networks and systems).
Whilst they receive far less attention than GDPRs, it is probably a lesser-known fact that the Information Commissioner’s Office (the ICO), as well as overseeing data protection, also oversees and enforces the NIS Regs in relation to digital service providers. Also, breaches and the impacts of breaches are not dissimilar. For example, like the GDPRs, certain security breaches must be notified, and like the GDPRs, amongst other sanctions for breaches of the NIS Regs, monetary penalties of up to £17 million can also be issued by the ICO.
How might the NIS Regs apply to network, cloud providers, etc
The NIS Regs place obligations on certain users and certain digital service providers.
On the client side, operators of essential services (e.g. utilities) that use cloud systems and networks will need to comply.
Cloud providers, however, will be interested in the side of the NIS Regs that place compliance obligations on those businesses that fall within the definition of a cloud computing service, as it will decide whether or not the NIS Regs potentially apply. Other categories of digital service providers trigger the NIS Regs, but it is the cloud computing service definition that is likely to bring network/ system providers into the ambit of the NIS Regs.
Even if the business does fall within a cloud computing service, there is currently a minimum threshold beneath which, the business would be exempt from the NIS Regs (see below)
So, what are Cloud Computing Services for the purposes of the NIS Regulations?
The NIS Regulations define a cloud computing service as
“[a] digital service that enables access to a scalable and elastic pool of shareable computing resources”
The ICO has expanded on the definition of cloud computing services to confirm that it includes SaaS (to the extent that it offers a scalable and elastic pool of resource to the customer) PaaS and IaaS. It recognises that although these are the three main categories that “Something” as a service model and the various hybrids that exist may also fall within the definition. So, to know whether or not a cloud service falls within the ambit of the NIS Regulations, it will have to meet all aspects of the legal definition.
Digital service
“Digital” is a key phrase embedded by the government at a policy level and making its way through various aspects of legislation and guidance. It’s probably now used as a part of everyday language, but it’s worth remembering that digital is about a specific transmission method of data in a binary form (as opposed to analogue). See ‘Are we digital? And why does it matter?’
Computing resources
The NIS Regulations contain a non-exhaustive list of the computing resources in the context of cloud computing services. Notably, it relates to both hardware and software and services and includes networks, servers or other infrastructure, storage, applications and services.
Enabling access
Cloud brokers and cloud providers potentially enable access (to the scalable and elastic pool of shareable computing resources).
Cloud providers build and manage cloud infrastructure (hardware resources necessary to support the cloud services provided, including server, storage and network components and the software deployed across the physical layer).
Cloud brokers manage the use, performance, and delivery of cloud services, negotiating relationships between cloud providers and customers. Cloud brokers probably now exist in a number of guises at various deployment layers. Indeed, according to the ICO, cloud brokers provide multiple offerings and can essentially act as a single “service point” where cloud customers can manage multiple cloud services and provide business and relationship support services as well as technical support. The ICO breaks these down into the following three different categories:
- Service intermediation – where a cloud broker provides value-added services or additional functionality on top of the underlying cloud provision it makes available to customers, such as identity management or security measures.
- Service aggregation – where a cloud broker essentially creates a new cloud service by combining and aggregating multiple other services into a single offering. For example, a cloud broker may provide service integration and can also be responsible for ensuring data moves between the customer and the multiple providers in a secure manner.
- Service arbitrage – whilst this involves aggregating multiple services as above, the cloud broker in this category is in the business of providing access to other cloud brokers rather than aggregating services to create a value-added scenario.
The pool of resources or multiple providers that the cloud broker may make available to the cloud customer does not have to be owned or operated by the cloud broker. It is about providing access.
Scalable [computing resources]
This means that cloud providers or cloud brokers provide services that allow for the flexible allocation of computing resources to respond to fluctuations in demand, irrespective of the geographical location of the computing resources.
An elastic pool [of computing resources]
This means that the cloud provider or cloud broker can provision or release computing resources according to demand in order to rapidly increase and decrease resources available depending on workload.
It should be noted that the services provided by a cloud broker or cloud provider do not all fall within the definition. Each service would need to be considered against the definition. The ICO says that, in practice, it will depend on the specific circumstances, the nature of the services being offered, and the details of any contractual arrangements between the cloud broker/ cloud provider and the cloud customers.
Shareable [computing resources]
[computing resources] that are provided to multiple users who share common access to the service, but where processing is carried out separately for each user, although the service is provided from the same electronic equipment.
Businesses which deploy cloud computing services may still be exempt from the NIS Regulations.
Those who deploy cloud computing services that fall within the legal definition, have fewer than 50 staff members and have an annual turnover and/or balance sheet below €10 million are exempt. However, if the business is a group member, staff and turnover size of the group are taken into account when assessing whether this exemption applies. It is a business’s responsibility to be aware of when it may pass the threshold, as it will trigger the need to comply with the NIS Regs. (It is worth noting that there may be change in this regard, but it is not envisaged in this round of changes to the law).
Widening the NIS Net
Following a consultation ending in April 2022, the government announced its intention to implement changes to the law, which will, amongst other things, introduce another category of provider to the NIS Regs, namely managed service providers. At the date of this article, the government has not announced when these changes will begin the legislative journey, but for businesses that provide managed services or intend to, this is definitely an area to keep an eye on.
What does this mean for cloud computing businesses?
- For businesses that the NIS Regulations already capture, they should ensure they are compliant (see Obligations of cloud computing service providers article)
- Businesses that already fall within the turnover/ staffing thresholds of the NIS Regs, but the NIS Regs do not apply because of the product/ service stack they provide should be aware of products/ services that could trigger the application of the NIS Regulations and who in the business they need to notify to start compliance considerations if/when the time arises.(see Obligations of cloud computing service providers article)
- Businesses that provide products or services that mean, but for the threshold they would be a cloud computing service provider will need to be aware of changes in the business that could trigger NIS compliance and who in the business is going to monitor this and who in the business is going to own notifications to the ICO and compliance.(see Obligations of cloud computing service providers article)
- For businesses already complying with the NIS Regs, among other things new products/ services may require a NIS risk assessment.
- All businesses operating in the cloud computing space should monitor upcoming changes to the NIS Regulations, particularly if they are or plan to provide managed services.
Discover the benefits of Lawpoint 4 Digital Gateway, offering a complimentary digital legal audit for your unique digital product/service mix. Connect with Tracey at tracey@law-point.co.uk or call 01202 729444 to schedule your appointment.
If you haven’t done so already, subscribe to Lawpoint 4 Digital to access pertinent information and updates tailored to your digital legal audit. Take a step towards enhancing your digital presence today>>> click here.
© The Contract Shop t/a Lawpoint
Information correct as at 11 January 2024