The Department for Digital, Culture, Media & Sport (DCMS) said the UK's Information Commissioner's Office (ICO) would issue guidance on the security measures 'digital service providers' (DSPs) must implement under the NIS regime.
The NIS Directive sets out measures designed to ensure critical IT systems in critical sectors of the economy like banking, energy, health and transport are secure. It will apply to operators of such "essential services" and to "digital service providers". DSPs are defined as being online marketplaces, online search engines or cloud computing service providers that normally provide their service "for remuneration, at a distance, by electronic means and at the individual request of a recipient of services".
The Directive, which must be implemented into national law across the EU by 9 May 2018, sets out security requirements and incident notification rules for DSPs which are different from those that apply to operators of essential services.
The UK government finalised its plans for implementing the NIS Directive in respect of the rules for operators of essential services earlier this year. It has now opened a "targeted consultation" with digital service providers (12-page / 159KB PDF) to explain how the new Directive will apply to them in the UK. The consultation is open until 29 April.
In its consultation paper, DCMS acknowledged that the UK government lacks freedom over the way it implements the NIS Directive into UK law. That is because many of the requirements facing DSPs under the Directive are set out in an EU implementing regulation, published earlier this year, including in relation to the security measures DSPs are expected to have in place and their incident reporting obligations.
The implementing regulation is directly applicable across all EU member states, including the UK.
DCMS set out how it intends to reflect that position in UK law in its consultation paper, but also confirmed that DSPs in the UK could be subject to some additional rules that are not set out in the EU legislation.
DCMS said, for example, that it is considering requiring DSPs to register with the ICO under the NIS Directive. The ICO is to "establish a system in order for UK DSPs to register themselves" with it after the 10 May, when the UK NIS rules will begin to apply.
"This registration system is necessary in order for the ICO to know who is required to meet the requirements of the Directive and who they need to regulate," DCMS said.
The ICO will also "publish further guidance" on what DSPs' security obligations are under the NIS regime to complement the "outcome focused" measures set out in the EU implementing regulation, the government said.
Additional guidance to help DSPs comply with their incident reporting duties could also be issued by the ICO, DCMS said. However, it said that any new guidance could not deviate from the "impact parameters" that the European Commission has outlined in its implementing regulation.
The EU Agency for Network and Information Security (ENISA) last year published guidance for digital service providers on their incident notification obligations under the NIS Directive.
ENISA said at the time that the Directive's requirements can be summarised as requiring "any incident affecting the availability, authenticity, integrity or confidentiality of data stored, transmitted or processed by a [DSP] through network and information systems, which has a substantial impact on the provision of the digital service offered" to be reported.
The European Commission's implementing regulation outlines set criteria for what constitutes an incident of 'substantial impact' that digital service providers must report.