Insights Ofcom lowers thresholds for reporting Network and Information Systems incidents

Ofcom has lowered the thresholds for when Operators of Essential Services (OESs) should inform it of incidents. Ofcom says this should result in more cases of significant disruption being reported.

Ofcom’s Network and Information Systems (NIS) Guidance sets out the incident reporting thresholds for which it considers an incident to be of significant impact and therefore when it expects OESs to report incidents to it.

Ofcom notes that several outages have occurred recently in the digital infrastructure subsector that were not reported. While they fell below the previous reporting thresholds, Ofcom believes that they could have had a significant impact on the continuity of essential services. As a result, following public consultation, Ofcom has decided to lower the incident reporting thresholds in its NIS Guidance.

In Ofcom’s view, improved visibility of incidents impacting UK users being reported to the regulator will enable it to better understand causes of disruption to essential services, identify significant cyber security and resilience gaps and spot thematic trends. To read Ofcom’s Statement, which includes a table setting out the new thresholds, click here.