Network and Information Systems Regulations: don’t get burnt – keep the firewall up

The Network and Information Systems Regulations 2018 (NISR) came into force on the 10 May 2018, implementing the Network and information Directive EU 2016/1148.

The purpose of the NISR is to establish a national framework to regulate cyber security and to advance collaboration nationally and between member states of the EU. With focus firmly on GDPR compliance back in May, this important development may have slipped under the radar of those businesses within scope of NISR.

Does NISR apply to me?

NISR applies to:

1. Operators of essential services (“OES”), which can broadly be categorised as; energy, transport, health and water providers that fall within certain thresholds set out in Schedule 2 to the NISR. Competent authorities (see below) have discretionary power to designate providers as an OES (subject to certain conditions).
2. Relevant digital service providers (“RDSP”) (operators of an online marketplace, search engine or cloud computing service) headquartered or represented in the UK and excluding a micro or small enterprise (as defined in Commission Recommendation 2003/361/EC(8)).

Who is my “competent authority”?

Competent authorities are set out in Schedule 1 to the NISR.

1. OES’s in the energy, transport, health and water supply sectors fall under the authority of the relevant government department. Digital infrastructure providers are accountable to Ofcom.

1. RDSPs report to the ICO, and must register with it by 1 November 2018 (or 3 months from the date on which it became a RDSP). The National Cyber Security Centre is not a competent authority for the purposes of NISR.

I’m in scope – what do I have to do?

An OES must take measures to manage risks posed to the security of the network and information systems on which their essential service relies, or in the case of a RDSP the system on which it relies to provide a digital service. Such measures must be “appropriate and proportionate” and have regard to state of the art and be appropriate to the risk posed. Additional notification requirements also apply. OESs are required to notify their relevant competent authority about any incident which has a significant impact on the continuity of the essential service.

A RDSP is required to notify the ICO about any incident having a substantial impact on the provision of the digital services it provides.

Sanctions and penalties

Competent authorities have the power to:

• Serve an ‘information notice’ in order to assess whether an organisation falls within the threshold to be designated as an OES, or to assess its cyber security systems.
• Carry out an inspection to assess an organisation’s cyber security systems and check that it has complied with its duty to notify an incident.
• Serve an ‘enforcement notice’ to rectify alleged failures.
• Impose a financial penalty for contravention of NISR on a sliding scale up to a maximum of £17 million, depending on the severity of the contravention.

Practical precautions

All businesses should maintain a robust IT network, and you can take various precautions, such as:

• Carrying out due diligence on your IT system to identify risks faced, and address any areas of weakness.
• Maintaining a written plan of action for responding to cyber threats, and ensure clear lines of communication between IT and management teams. Put in place a worst-case-scenario contingency.
• Ensuring that your employees, and anyone with access to your network, are trained to recognise cyber threats and buy-in to safeguarding threats.
• Keeping your systems up-to-date with the latest IT protection software.

Next steps

1. Check whether your business is ‘in-scope’. If you are in the supply chain of an in-scope organisation, be prepared that your customer may pass back to you some of the NISR requirements by way of updated contractual terms, due diligence and audit requirements.
2. If you are an in-scope OES and you have not yet registered with your competent authority, then do so (this should have been done by 10 August). If you are an RDSP, register with the ICO by 1 November 2018.
3. Refer to guidance produced by your competent authority (for example the Department for Health has published a guide).
4. Put in place any network protection methods you deem appropriate and proportionate, and record all your actions in a paper audit trail.

If you would like further information and advice on issued raised in this article, please contact the Corporate and Commercial Team cct@blasermills.co.uk.