Guest Blog: Bird & Bird on the NIS Directive
Following the implementation date of the NIS Directive: are Digital Service Providers (DSPs) aware of their compliance obligations?
Bird & Bird's Simon Shooter and Esme Strathcole outline the latest developments around the implementation of the Network and Information Security (NIS) Directive, implemented into UK law on May 9, 2018, and explain what this means for Digital Service Providers (DSPs).
The Network and Information Security (NIS) Directive was implemented into UK law on 9 May 2018 and requires Digital Service Providers (DSPs) to comply with specific security requirements and incident reporting obligations.
At the very end of January the EC issued its Implementing Act that sets out how the Network and Information Security (NIS) Directive should be implemented for Digital Service Providers (DSPs).
In March The UK Government - through the Department for Digital, Culture, Media and Sport - issued a consultation paper looking at how the NIS Directive will apply to DSPs in the UK. The closing date for responses was 29 April 2018.
There will not be much that is particularly surprising in the Implementation Act or the Consultation Paper to those who are familiar with NISD. However, it is our understanding that, of all those likely to be affected by the NIS Regulations, it is the DSPs who are least aware that they will have to deal with another heavy sanction associated with compliance obligation. This is over and above the sanctions they already face through NISD's more famous sibling, GDPR.
The headlines from the Consultation Paper:
- No greater definition has been provided on who is a DSP. Digital Service Providers remain defined as operators of:
- Online market places: a platform that acts as an intermediary between buyers and sellers facilitating the sale of goods or services and which represents the final destination for the conclusion of the relevant contracts (sites that redirect users to other sites where final contracts are made, such as price comparison sites, are not in scope)
- Online search engines: services that allow users to search public parts of the world wide web
- Cloud computing services - primarily:
- Infrastructure as a Service
- Platform as a Service
- Software as a Service
- The Information Commissioners Office (ICO) will be the Competent Authority for DSPs
- It is likely that it will be mandatory for UK DSPs to register with the ICO following 10 May, 2018
- No further statement is made on fines and so we expect no change from the £17m single maximum fine
Security measures for DSPs:
The anticipated security requirements for DSPs:
- systematic management of network and information systems –
- mapping policies, risk analysis, HR, security architecture, data and system life cycle management and encryption
- physical and environmental security on an "all hazards" approach
- security and traceability of critical supplies
- access controls guarding availability of system and network
Expected incident handling requirements:
- detection processes in place and tested regularly processes
- policies on incidents and to identify weaknesses
- established response procedures
- the ability to assess incident severity and capture learning from incidents
Expected business continuity management requirements:
- establishment and use of continuity plans that need to be regularly tested and assessed through exercises
- disaster recovery capabilities in place
- monitoring audit and testing
Points of note
- It is possible to qualify as both an Essential Operator (EO) AND as a DSP and those who do will have to comply with those NIS Regulations in each role. There will be dual reporting requirements and presumably but not made express in the Consultation Paper the potential for dual fines.
- The ICO likely to levy a fee on DSPs through its registration scheme to pay for its role.
- Of all those likely to be affected by NISD we think it’s DSPs who will be most taken by surprise. Those furthest in the dark will be entities who don’t have any self-perception that they are a DSP at all as the requisite elements of being a DSP are an adjunct to their business. It’s these who will also stand the chance of being both EO and DSP compliance obliged.
About the Bird & Bird Cyber team:
The long established multidisciplinary Cyber team at Bird & Bird is tracking developments in the adoption of NISD and the guidance that is issued and anticipated from the Government, NCSC and Competent Authorities. We are on hand to assist in any aspect of support that may be needed in respect of cyber-security from gap analyses and establishing resilience programmes to regulatory compliance and incident response.
Despite the definitions provided there still remains significant room for uncertainty as to whether you may qualify as a DSP. If you need any help with this we will be delighted to assist. Equally if you would like to know more on the obligations that will come with the NIS Regulations - and how you may be affected – we are here to help.
Latest News from
The AI adoption paradox: can cautious adoption reap maximal benefits?14/05/2021 16:25:00
Joanna Crown, Product Strategist at Mind Foundry, describes how human-AI collaboration is the transformation needed for organisational success with AI. #AIWeek2021.
Foreign Secretary Dominic Raab at CyberUK 202114/05/2021 11:25:00
techUK has summarised the key points from Rt Hon Dominic Raab's speech at CyberUK 2021.
Delivering AI to Support Parkinson’s UK During the Coronavirus Pandemic14/05/2021 08:05:00
Parkinson’s UK is Europe’s leading Parkinson’s support and research charity. The organisation raises around £35m p.a. to drive better care, treatments and quality of life for those with Parkinson’s, their friends, family and their carers.
How AI is cleaning up our Oceans13/05/2021 16:25:00
AI has been at the heart of change for many industries. Right now, it is the responsibility of every industry to become more sustainable and AI technologies can help to do this.
Home Secretary announces Computer Misuse Act Review13/05/2021 13:33:00
Review into 31 year old legislation to start this year.
AI as co-creator: building better software and better businesses13/05/2021 12:33:00
Learn how computer vision and wider access to cloud-based AI capabilities is driving adoption at the most innovative companies. Guest Blog: Jaspar Casey, Product Marketing Manager at Eggplant.
Ofcom’s strategic review of its approach to markets that deliver mobile services12/05/2021 15:25:00
The UK’s telecoms regulator Ofcom has published a Terms of Reference document, setting out how it will approach its strategic review of the UK’s mobile market.
Home Secretary announces Computer Misuse Act Review12/05/2021 14:25:00
Review into 31 year old legislation to start this year.
‘Cyber Security is a Team Sport’ - CYBERUK 2021 begins11/05/2021 16:25:00
This morning, the National Centre for Cyber Security’s CEO, Lindy Cameron, kicked off the first ever virtual CYBERUK event, which is currently streaming across the world, enabling the conference to reach more people than ever before.