The Network and Information Systems Regulations 2018 were laid before the UK parliament on 20 April and will come into force on 10 May.
The regulations sets out measures designed to ensure critical IT systems in critical sectors of the economy like banking, energy, health and transport are secure. They will apply to operators of such "essential services" and to "digital service providers".
Both operators of essential services and digital service providers are subject to requirements to keep their networks and information secure under the new rules to notify security incidents to "competent authorities" when they occur. Government ministers and departments, and regulators such as Ofcom and the Information Commissioner's Office (ICO) are among the authorities responsible for overseeing compliance in the various sectors caught by the rules.
A tiered system of fines is set out within the regulations that determine the maximum penalty organisations could be issued with for breaching the new rules.
Fines of up to £3.4 million could be issued where a security incident has caused or could cause a reduction in the provision of services for "a significant period of time", while a maximum penalty of £8.5m could be applied where services have or could be disrupted for a significant period of time.
In the most serious cases, where authorities determine that an incident has caused or could cause "an immediate threat to life or significant adverse impact on the United Kingdom economy" a fine of up to £17m could be imposed.
The new regulations give UK authorities the power to designate which organisations are 'operators of essential services' and in scope of the new laws, where set criteria and thresholds are met. Digital service providers – online marketplaces, online search engines or cloud computing service providers – are directly subject to the new rules, although micro and small businesses are exempt.
The regulations also require the UK government to outline a strategy to provide strategic objectives and priorities on the security of network and information systems in the country, and provide for GCHQ to play a role in monitoring security incidents, issuing risk warnings and sharing best practices with operators of essential services and digital service providers under the framework.
Specialist in cyber risk and regulation Philip Kemp of Pinsent Masons, the law firm behind Out-Law.com, said that the regulations do not appear to have attracted the attention warranted by their requirements. This is perhaps as a result of the regulations arriving "within the shadow of the GDPR", he said.
"For those entities caught by the new regulations, the notification obligations and potential fines that may apply demand attention," Kemp said. "Crucially, the regulations do not have the data protection focus of the GDPR, instead adopting a broader purpose to seek to ensure appropriate protections to key infrastructure and services. The practical effect is that the regulations may therefore apply to a broad range of incidents, and that it is not just events affecting personal data that must be prioritised and responded to swiftly."
"Given the potential fines and short time period in which notification is required, consideration of the application of the regulations must be a priority in the event of any security incident," he said. "It is unfortunate that uncertainty still remains as to the practical process required of operators of essential services and digital service providers, which it is hoped the relevant regulators will act fast to remedy. The significance and potential impact of the regulations must not be overlooked."
The UK government recently explained how the NIS Directive will apply to digital service providers.