In our article NIS Regulations and providers of access to cloud resources we explained how providers’ networks, servers, storage, applications and other digital services may fall within the ambit of the Network and Information Systems Regulations  2018 (NIS Regs) if they met the definition of a “cloud computing service” and were not exempted by the current minimum thresholds, both as detailed in the NIS Regs.

In this article, we summarise the obligations of those that the NIS Regs capture.


Cloud computing service providers –  obligations under the NIS Regs

The NIS Regs impose certain obligations on cloud computing service providers.  Also, in times of heightened focus on cybersecurity, the reputational impact of getting it wrong should not be underestimated.

The key obligations are as detailed below:

Manage security risk

  • Take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide its services. This includes:-
    • (Having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed.
    • Prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services, taking into account:
      • the security of systems and facilities
      • incident handling
      • business continuity and management
      • monitoring, auditing and testing
      • compliance with international standards

Notify and assess security incidents that have a substantial impact

  • Notify the ICO in writing about any incident having a substantial impact on the provision of any of its digital services (subject to it having access to information available to assess the substantiality of the impact). Notifications must include:
    • the time… the incident occurred
    • the duration of the incident
    • information concerning the nature and impact of the incident
    • information concerning any, or any likely, cross-border impact of the incident
    • any other information helpful to the ICO

Like personal data breaches, NIS incidents must be reported within 72 hours of the cloud computing service provider’s first awareness of the incident.

  • Impact assess the incident taking into account:
    • number of users affected by the incident
    • duration of the incident
    • geographical area affected by the incident
    • the extent of the disruption to the functioning of the service
    • the extent of the impact on economic and societal activities
    • any guidance issued by the ICO

Register with ICO

  • Register with the ICO (currently no charge) providing the following details
    • name of the RDSP
    • address of the head office or nominated representative
    • up to date contact details, including email addresses and telephone numbers

Any changes to the above must be notified to the ICO within three months of the date of the change.


So, what does this mean for potential or actual cloud computing service providers?

For those well versed in data protection, this should not be too much of a leap, but this legislation should be reviewed separately and independently from data protection as it applies to ALL systems, irrespective of personal data.

Discover the benefits of Lawpoint 4 Digital Gateway, offering a complimentary digital legal audit for your unique digital product/service mix. Connect with Tracey at or call 01202 729444 to schedule your appointment.

If you haven’t done so already, subscribe to Lawpoint 4 Digital to access pertinent information and updates tailored to your digital legal audit. Take a step towards enhancing your digital presence today>>> click here.

© The Contract Shop t/a Lawpoint

Information correct as at 11 January 2024