In July 2021, the Government published a policy paper setting out its approach to rectify an EU-Exit related deficiency in the Network & Information Systems Regulations 2018 (NIS Regulations) surrounding incident reporting thresholds for digital service providers. The thresholds are enshrined in the NIS Regulations and the European Commission Implementing Regulation (151/2018/EU), which together set out the rules for the application of the NIS Regulations in regard to digital service providers.

This call for views sought feedback on the Government’s proposal to move incident reporting thresholds from legislation to Information Commissioner’s Office guidance. The proposals would allow the Information Commissioner’s Office, as the Competent Authority for digital service providers, to set the thresholds at a more appropriate level. The ICO agreed to subject the new thresholds that it would propose to further consultation with relevant digital service providers.

The Government has now published its response to the call for views. There were 91 responses to the call for views.

On the main proposal to move incident thresholds from legislation to ICO guidance, 45% of respondents agreed/strongly agreed with the proposal, 29% neither agreed nor disagreed, and 27% disagreed/strongly disagreed. The most frequent reason for disagreeing/strongly disagreeing with the Government’s proposal was that the ICO should not have the power to amend the thresholds without prior consultation. Further written feedback highlighted concerns over the ICO amending the thresholds without any statutory duty to consult.

In response, the Government said that, although there is currently no statutory duty to consult industry, the ICO has confirmed its commitment to regular engagement with industry, including consulting on any changes to the thresholds with relevant digital service providers to ensure reporting requirements are not too demanding or burdensome. The ICO also launched its own consultation on the proposed thresholds on 10 September 2021 with two separate threshold models.

The Government also said that it will continue to work closely with the ICO and ensure that it consults regularly to ensure that any changes in the level of thresholds for reporting strike a fair balance between reporting requirements and maximising the efficiency of the NIS reporting process. To read the Government’s response in full, click here.