Amendments to the Security of Network and Information Systems Regulations

The 2018 NISR came into force at around the same time as the General Data Protection Regulation (“GDPR”) and included a sanction regime with fines of up to £17m in the UK. Whereas the GDPR brought in security requirements in relation to security breaches involving personal data, the 2018 NISR was more focused on important infrastructure and digital services on which the nation relies, irrespective of the data they process. To date, we are not aware of a single 2018 NISR fine being issued in the UK.

In 2021 the Department for Digital, Culture, Media and Sport (DCMS) publicised its intention to amend the NISR, citing the need to ensure its continued fitness for purpose in light of the UK’s departure from the European Union.

The principle issue at hand was around RDSPs and a perception at DCMS that having the notification thresholds for RDSPs set in legislation (as was formerly the case for those organisations under the GDPR) did not allow for sufficient flexibility.

For the purposes of the NISR, RDSPs are online search engines, online marketplaces, and cloud computing services, all of which are considered to play a vital role in the economy and wider society. The government view was that notification thresholds for RDSPs would be more appropriately fixed in policy, thereby allowing for swift alteration and giving the system significant flex in order, theoretically, to reflect an ever-changing contemporary threat landscape.

DCMS ran a consultation on their proposals in the latter part of 2021, which garnered generally positive or neutral feedback. Following the consultation, Parliament has now passed the Network and Information Systems (EU Exit) (Amendment) Regulations (‘the 2021 NISR’), which have been in force since 12 January 2022.

RDSPs that fall within the remit of the 2018 NISR currently need to report incidents to the Information Commissioner’s Office (ICO) which will have a ‘significant impact.’ Interpretation of ‘significant impact’ previously derived from the EU NIS Directive and Implementing Regulation. Henceforth, however, it will be provided under the 2021 NISR.

Full details of the new thresholds are as follows:

The ICO further requests voluntary notification of other incidents, and highlights the importance of understanding situations in which other notification requirements may bite, be they under the UK GDPR, other jurisdictional rules, or under residual EU NIS regulations/GDPR for those organisations also operating within the European Economic Area.

There is no substantive change in terms of enforcement action, with the fines parameters set out in the 2018 NISR remaining extent.

The efficacy of these amendments cannot yet be judged, but the aim to flex notification requirements and make them more contingent on current threats appears laudable. Outstanding questions include whether the bureaucracy involved in changing policy can, in reality, prove agile enough to flex and adapt swiftly, and whether industry is given sufficient buy-in and consultation over further proposed changes to the thresholds. Furthermore, questions might rightly be asked as to whether the organisations will fear the consequences of non-compliance of the 2021 NISR, given the absence of any enforcement action during the last four years of the 2018 NISR.

In the meantime, industry bodies seem broadly in favour of the 2021 NISR.