UK government to undertake further work to clarify scope of NIS Directive

The government carried out a consultation earlier this year focusing on the guidance it needed to provide for digital service providers (DSPs) in the wake of the NIS directive’s implementation in May.

In its response (11 page / 163KB PDF), published last week, the government said respondents had broadly agreed with its approach but there continued to be uncertainty over exactly who was in scope, particularly in relation to cloud service providers, and that greater clarification was needed on the subject of cost recovery.

As a result the Department of Culture, Media and Sport (DCMS) said it would now work with the Information Commissioner’s Office (ICO) to clarify guidance to DSPs and how the ICO’s cost recovery process would work.

The NIS Directive sets out measures designed to ensure critical IT systems in important sectors of the economy like banking, energy, health and transport are secure. It applies to operators of such "essential services" and to DSPs.
The directive defines DSPs as being online marketplaces, online search engines or cloud computing service providers that normally provide their service "for remuneration, at a distance, by electronic means and at the individual request of a recipient of services".

The implementing regulation for the directive sets out many of the requirements for DSPs, including the requirement to register with a relevant competent authority. UK DSPs are required to register with the ICO by 1 November this year, and if they are affected by a cyber security incident must notify the ICO within 72 hours.  

Cyber security expert David McIlwaine of Pinsent Masons, the law firm behind Out-Law.com, said the government’s recommendation to the ICO that they advise DSPs to follow the technical guidance published by the European Network and Information Systems Agency “might be considered somewhat unsatisfactory”.

McIlwaine said DSPs had been obliged since the directive’s implementation in May to take “appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies”, according to Article 12(1).

“Without specific guidance from the responsible regulatory body as to what constitutes good practice, it is difficult for a relevant DSP to be confident that it has achieved Article 12(1) compliance, or indeed to know whether greater measures are required beyond those already in place for the General Data Protection Regulation (GDPR),” said McIlwaine. 

McIlwaine said DCMS had issued guidance in April which recommended that competent authorities such as the ICO “take a cautious approach to enforcement during the first year”. The government said while penalties should be levied for serious negligence in the implementation of security measures or the handling, or reporting of an incident, enforcement should be proportionate and appropriate and take into account the challenges arising from a lack of comprehensive NIS compliance guidance prior to May 2018.

“Let’s hope the ICO does heed this recommendation,” McIlwaine said.

Several respondents to the consultation said they were unable to readily identify the type of their organisation from the government’s descriptions and questioned the government’s decision to limit cloud services to “public cloud services”.

The government said it had tried to limit the scope of those who have to comply with the directive to those companies whose loss of service could have the greatest impact on the UK economy either directly or through impact on other companies, and that cloud services were limited to those that were “scalable and elastic”.

It said prospective DSPs that were unsure whether they came under the scope of the NIS regulations should contact the ICO.

Respondents set out a series of areas where they wanted specific guidance from the ICO, including the scope of the ICO’s non-disclosure powers when it came to making issues public, how the ICO is defining ‘software as a service’, and how the ICO will handle incidents that fall under NIS and the GDPR. They also wanted more details on the penalty and appeal regime that will apply for NIS.

The government said a number of these concerns were already laid out in the NIS regulations, but added it would work with the ICO to produce updated guidance.