The deadline for registration under The Network and Information Systems Regulations is 1 November 2018
Do the Regulations apply to you?
The Network and Information Systems Regulations, which came into force at about the same time as the GDPR, appear to have slipped in to place with much less fanfare. Under those Regulations, if you provide relevant digital services such as cloud services, an online marketplace or an online search engine, then the deadline for registering with the ICO under the Network and Information Systems Regulations is 1st November 2018.
In very brief terms, a cloud service – always an amorphous concept – is defined as “a digital service that enables access to a scalable and elastic pool of shareable computing resources”. This will primarily include [anything] aaS providers, but other models may fit within this concept. An online search engine is one that is provided to the public, and an online marketplace is a platform that allows a buyer and seller to conclude a sale of goods and services (but excludes a retailer only selling its own goods).
What do you need to do?
The obligations under the Regulations are to “take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which [the business] relies to provide” relevant digital services. The measures taken must ensure a level of security of network and information systems appropriate to the risk posed and prevent and minimise the impact of an incident affecting the relevant systems to try to ensure the continuity of those services. You must take account of:
• the security of systems and facilities;
• incident handling;
• business continuity management;
• monitoring auditing and testing; and
• compliance with international standards.
There are reporting obligations to the ICO for incidents with substantial impacts on service provision, which – as with the GDPR – must be made within 72 hours. You must also maintain adequate records to evidence steps taken for compliance. The regime also provides for penalties for non-compliance, which start with information notices and rise to a maximum penalty of £17,000,000.
A business that qualifies as a small or micro enterprise falls outside the scope of these Regulations; this means fewer than 50 employees and €10 million annual turnover or balance sheet. But….even if you fall below these thresholds, remember that businesses that fall into the category of “operators of essential services” that are also subject to the NIS Regulations have obligations to ensure that their supply chains will satisfy the obligations to protect their own services. If you provide relevant services to OES businesses, you will still need to deal with the consequences of these Regulations.
For more information on the impact of these Regulations, please contact a member of the Commercial Department.