January 10, 2022
The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 were made on 15 December 2021 and come into force on 12 January 2022.
The new Regulations address EU-exit related deficiencies in the retained EU legislation regulating the security of network and information systems of core UK service providers. The deficiencies mainly relate to the parameters which determine when digital service providers must report cyber incidents which are set out in retained EU law at levels appropriate for the EU as a whole but not for the UK now it is a standalone nation.
The instrument also makes minor textual adjustments to the security requirements of digital service providers to reflect the UK’s position outside of the EU.
Currently, under the Network and Information Systems Regulations 2018 (the NIS Regulations), which implement the NIS Directive (2016/1148/EU), digital service providers are obliged to notify the Information Commissioner of incidents that have a “substantial” impact on their ability to deliver services.
The NIS EU Commission Implementing Regulation (2018/151/EU) (the NIS EU Implementing Regulation) supplements the NIS Regulations by, inter alia, setting out the parameters that digital service providers must consider when determining whether an incident has had a substantial impact on the provision of its services. The parameters were set out in this way rather than in guidance issued by the competent authority because digital service providers operate across multiple Member States and so need to be regulated on an EU-wide basis by a single Member State (the one hosting the digital service provider’s headquarters).
When the UK left the EU, UK laws implementing EU Directives and EU Regulations that were directly effective in the UK (including the NIS Regulations and the NIS EU Implementing Regulation) were preserved as “retained EU law” by virtue of the EU (Withdrawal) Act 2018 (EUWA). The EUWA also gave Ministers the power to amend retained EU law to prevent, remedy or mitigate any failure of such law to operate effectively in the UK.
The new 2021 Regulations amend the NIS EU Implementing Regulation to reflect the fact that the UK is no longer part of the EU, but a standalone nation. The amendments are needed because the reporting thresholds under the NIS EU Implementing Regulation are set by reference to the number of the EU population affected, which are generally too high to trigger reporting in the UK. This results in the competent authority for digital service providers, the Information Commissioner, not being sighted on cyber incidents which have caused disruption to the service provided by the digital service providers.
The main correction is the removal of Article 4 of the NIS EU Implementing Regulation which contains the defective reporting thresholds. In the future, the thresholds will be set by the Information Commissioner in guidance. Provision has been added at regulation 12 of the NIS Regulations to ensure that digital service providers have regard to the Information Commissioner’s guidance (which will be issued under existing powers at regulation 3(4) of the NIS Regulations) when determining whether to report an incident. There is no express duty on the Information Commissioner to issue guidance on reporting thresholds, but the Information Commissioner has confirmed they will do so and it will be in place when Article 4 is revoked. The legislation would nonetheless work without guidance in place although there would be less detail provided to help digital service providers determine when an incident has a “substantial” impact.
A textual amendment has also been made to Article 3 of the NIS EU Implementing Regulation which means digital service providers must consider the geographical impact of an incident across the UK rather than across EU Member States.
The making of the new Regulations follows Government and ICO consultation processes. To access the new Regulations, click here.