Cyber Security in the UK | A Quick Recap of the NIS Regulations

As we read about AI and its rapid development, cyber security is another ever increasing hot topic. Recently, the NHS was hit by a massive ransomware attack that caused disruption to test results and blood transfusions.  

From the outside, cyberspace can look like the wild west; a lawless frontier where dark web hacker-bandits are looking to take down our institutions and steal our identity. In this blog we thought it may be useful to recap specific UK cyber security laws that attempt to bring order to the cyber frontier and discuss how they apply to particular organisations. 

The “NIS Regulations”, or to give them their full name, The Network and Information Systems Regulations 2018, serve to protect the UK’s interests in cyberspace by managing cyber security risks for the UK’s essential services and various digital service providers. The NIS Regulations also require suppliers in these sectors to improve the security of their network and information systems. Though they’ve been in force since 10 May 2018, we thought it would be useful to have a brief refresher. 

Who do they apply to? 

The NIS Regulations apply to: 

1. sectors vital to the economy: energy, transport, drinking water, healthcare, and digital infrastructure or “operators of essential services” or “OESs”; and  
2. Relevant Digital Service Providers or “RDSPs” - specifically online marketplaces, online search engines or cloud computing services.  

We suspect our clients would fall within the RDSP category, but they may be dealing with customers in both categories. Cloud providers under the NIS Regulations are defined as a “digital service that enables access to a scalable and elastic pool of shareable computing resources”.  

Whilst it can be a challenge to know if an organisation qualifies as a RDSP, the Government provided guidance in several responses in 2018 clarifying that cloud providers will likely include Platform as a Service or “PaaS”, Infrastructure as a Service or “IaaS” and, the more commonly known, Software as a Service or “SaaS” offerings where the resources available to the customer can be varied in an elastic and scalable way.  

The Government guidance considers this requirement would likely exclude most: 

• online gaming;  

• entertainment; or  

• VOIP services, 

as the resources available to the user are not scalable.  

However, services where the resources are scalable, would likely be caught. Such as: 

• email or online storage providers;  

• cloud-based collaboration tools like Teams and Slack; or 

• CRM systems, 

Though it’s apparent not all SaaS services automatically fall within the NIS Regulations. 

RDSPs must also exceed threshold criteria by having: 

1. 50 or more staff;  
2. annual turnover of €10 million per year; and 
3. be larger than a small or micro-sized enterprise, which can cause issues where some services of an organisation are in scope and some are not in terms of interpreting turnover.   

In this case, the guidance recommends referring to the Information Commissioner’s Office (“ICO”) for clarification. 

Providers had to register with their Competent Authority or with the ICO within specified timescales. 

Extension of RDSPs on the cards? 

The Government launched an open consultation until 10 April 2022 (“Consultation”) which aimed to update the UK’s cyber resilience legal framework.  It’s useful to note that the Government intended to extend the ambit of RDSPs to managed services providers, which would likely catch providers who do not already fall in the scope of the NIS Regulations by virtue of offering cloud computing services. 

Most IT Suppliers providing managed support services to their customers would likely fall within this definition, though the Government appeared ready to note most managed service providers rely on external suppliers.  These changes could be implemented by new delegated powers to amend the NIS Regulations without further Acts of Parliament.   

Data centres and data storage are also being kept under review as part of the National Data Strategy and National Cyber Strategy (part of the Government’s commitment to cyber security and protecting data infrastructure). 

We await to see more on these areas. 

Beware the “Double Jeopardy” risk 

Breach of the NIS Regulations is subject to tiered fines up to a maximum of £17 million, though the Government considers penalties are a last resort.  

Beware however, the “double jeopardy” risk under the NIS Regulations and UK GDPR as the Government maintains different penalties could relate to different wrongdoings and different impacts under each regime. A security breach which also impacts personal data, could therefore mean organisations risk fines under both the NIS Regulations and UK GDPR in the region of £17million or 4% or total worldwide annual turnover and more, though regulators and competent authorities are expected to work together in determining what approach to take. 

What should you do now? 

We suggest this is a useful opportunity to press “refresh” and consider if your business is in shape regarding the NIS Regulations and its cyber strategy generally and if it needs to take any additional steps, including: 

1. Review, update and rehearse your data breach processes and policies and ensure you are ready to respond if required. 
2. Check and see if your business is captured by the NIS Regulations. If not covered by the NIS Regulations, check this is still the case, if your services have evolved, and in any event, check your processes and what you would do in the event of a cyber attack.  
3. Review the NCSC Cyber Assessment Framework (even if your business isn’t captured by the NIS Regulations, it could be useful!)
4. Continue to protect personal data by taking appropriate measures and complying with the UK GDPR security principle. 
5. See the ICO checklist for RDSPs
6. Last, but definitely not least, think about your suppliers and your contracts with them and whether you have flowed down any security requirements, including reporting requirements, to them. 

What about our neighbours? 

Co-operation across countries will be crucial for dealing with cross-border cyber-attacks, which are unlikely to be curtailed by territorial boundaries. With “NIS 2” being implemented in Europe to adapt to the pace of technological change, the UK may need to change the NIS Regulations particularly to reflect commitments in the UK-EU Trade & Co-operation Agreement agreed for Brexit, such as for accreditation schemes, and to ensure co-operation with the EU.  

Organisations which provide services in EU member states or other countries will also likely be bound by applicable local cyber security laws and should take advice in those jurisdictions.  

If you need any more information on the NIS Regulations or how they affect your business specifically, please don’t hesitate to contact us for advice at LAW 365. Here at Law 365 we’re expert in Technology Law.

If you have any questions about your obligations related to Cyber Attacks and data breaches, get in touch.