What double whammy?

The Quick Version

Effective from the 10th of May 2018, the Network and Information Systems Regulations 2018 (the NIS Regulations 2018) were somewhat overlooked in the noise around the implementation of GDPR.

They aim to ensure there are resilient and effective national cyber security regimes across the EU and potentially present a double whammy to firms when there is a personal data breach - not least because the Information Commissioners Office is one of the competant authorities responsible for their enforcement in the UK.

Not every organisation is affected but ignoring what obligations you do have under NIS is not an option - as they say, ignorance is not a defence.
Image
0
There are 39 Indicators of Good Practice needed to help demonstrate your compliance with NIS.

National Cyber Security Centre

The main impacts

The good news is that not all organisations are affected. The bad news for those that are is that NIS and GDPR are seperate pieces of legislation with their own enforcement regimes.

NIS is a cyber security law which places an obligation on affected organisations to take appropriate measures to protect the security of network and information systems as well as a duty to notify security breaches.

NIS notification of breaches requirements are not the same as those under GDPR but run in parallel. This means that in the event of a cyber breach, your organisation could face the double whammy of enforcement action from the ICO under GDPR and under NIS.

Many of the steps needed are rooted in similar principles like Accountability and Response meaning it should be a case of making sure your privacy and security regimes are aligned.
Operators of essential services (OES) are those organisations who provide services critical to society and the economy such as transport, energy and water. Relevant Digital Services Providers (RDSPs)  provide digital services such as cloud computing (SaaS), online marketplaces and search engines. Those who fall under OES are normally self explanatory but what constitutes a RDSP can be less clear - especially when the service you provide is a digital one to an OES. Falling under NIS adds to your obligations with respect to cyber security and breaches, albeit with very similar requiremnts to GDPR.
Privacy regulation addresses the protection of personal data and NIS concerns the security of systems. The two go hand in hand and many of the steps you need to take to demonstrate compliance with one align with those required for the other. However, it is important to understand where the differences lie. We do not claim to be cyber security experts and most of our clients are not affected by NIS. However, by the nature of the services they provide (e.g. cloud computing services), some need to ensure they understand their responsibilities under both of these regimes.
In many cases, you will be required to make a notification to the ICO under GDPR and to the ICO and National Cyber Security Centre under NIS. Like the GDPR, reports must be made to the ICO within 72 hours of becoming aware of any incident but the reason(s) can be slightly different e.g. NIS requires reporting of an incident affecting 100,000 or more users whether personal data is affected or not. Understanding the two regimes is something which should be embedded in your incident processes in advance in order to meet the reporting timelines for both.
The ICO is one of a number of designated competant authorities who enforce NIS. Many of these are industry specific and depend on whether the affected organisation is an OES or not. The nature of most incidents means the ICO is likely to be a constant in  any action under NIS. The ICO's powers of enforcement under NIS are very similar to those it has under GDPR including the maximum level of monetary penalty - 4% of global turnover or £17 million. Understanding the role of the ICO, its regulatory approach and its powers under both is another area where advance perparation is key.
Unlike GDPR, there are some specific exemptions from NIS for small and micro organisations. If you have fewer than 50 staff and a turnover or balance sheet of less than €10 million, then NIS will not apply to you (unless your organisation is part of a larger group or controlled by a larger organisation). If you only maintain digital services internally (i.e. they are not provided to external customers) you will not be a RDSP. NIS will also not apply simply because you sell goods and services online - 'online marketplaces' generally refers to the platform which may enable you to do so.

Tell us how we can help

Insights

News & Research