Policy paper

Security of network and information systems - call for views on amending the NIS regulations

Published 26 July 2021

This was published under the 2019 to 2022 Johnson Conservative government

1. Open call for views

1.1 This document sets out the Government’s approach to rectify an EU-Exit related deficiency in the Network and Information Systems legislation surrounding incident reporting thresholds for digital service providers. These are enshrined in the Network and Information Systems Regulations 2018 (NIS Regulations) and the European Commission Implementing Regulation 151/2018; which together, set out the rules for the application of the NIS Regulations in regards to digital service providers.

Responses

By survey

Respondents are invited to provide answers to these questions using the online feedback survey tool here. Respondents are welcome to only answer questions relevant to them. Supporting evidence should be submitted directly to nis@dcms.gov.uk. Partial responses will be recorded and included in the analysis.

By post

Hard copy responses can be sent to:


NIS Team
Department for Digital, Culture, Media & Sport
4th Floor (4/47)
100 Parliament Street
London
SW1A 2BQ

By email

Alternatively, respondents can download and populate this feedback form on the main page and email responses directly to nis@dcms.gov.uk.

When responding, please clarify:

  • if you are responding on behalf of an organisation or in a personal capacity;
  • which questions you are answering (there is no need to respond to all of the questions if they are not all relevant to you);
  • whether you are willing to be contacted (if so, please provide contact details); and
  • whether you prefer for your response to remain confidential and non-attributable (if so, please specify).

All responses should be submitted in advance of the closing date for this Call for Views, which is 23:59 on Friday 27 August 2021.

2. Summary

2.1 The Government seeks to amend incident reporting thresholds for Digital Service Providers as the current thresholds were established when the UK was a member of the European Union and are set for a market size of 28 EU Member States.

2.2 This leads to an EU-Exit related deficiency in the legislation. As the UK has now left the EU, the incident reporting thresholds are no longer appropriate, as they are set too high for the UK alone. These need to be reduced to a number that is relevant to the UK.

3. Background

3.1 This call for views concerns the incident reporting thresholds of the Network and Information Systems legislation, which encompasses the Network and Information Systems Regulations 2018 (NIS Regulations) and the European Commission Implementing Regulation 151/2018. The NIS Regulations came into force on 10 May 2018 and are aimed at improving the level of security of organisations that provide essential services to the UK (water, energy, transport, healthcare, digital infrastructure), as well as some digital services (online marketplaces, online search engines and cloud computing services).

3.2 Organisations under the scope of NIS are accountable to regulators called “Competent Authorities” (CAs). CAs support organisations in scope and enforce the NIS Regulations as appropriate. One of the duties applicable to both digital service providers and operators of essential services is the duty to report substantial incidents that have an impact on the continuity of their services. However, while operators of essential services have the thresholds of what incidents to report set out in guidance issued by competent authorities, the thresholds for digital service providers are set out at a European level by the European Commission Implementing Regulation 151/2018.

3.3 This is because under the original NIS Directive, digital service providers fall within the jurisdiction of the EU Member State where they have their main establishment. That EU Member State then regulates that organisation on behalf of the Union and with the support and cooperation of other EU Member States. As digital service providers offer services that transcend borders, it was considered to be more appropriate that the thresholds be set to account for the entirety of the Union (28 Member States at the time).

3.4 Following our withdrawal from the EU, the UK no longer takes part in coordinating regulatory activities with the EU. However, as the EU (Withdrawal) Act 2018 retained this Commission Implementing Regulation, the incident reporting thresholds for the UK remain the same as those applicable for the entirety of the Union. This is a clear deficiency arising from our withdrawal which needs to be rectified to reflect the UK’s new position, and the thresholds should be lowered to account for the UK’s market.

4. Proposed approach

4.1 The Government is proposing to lay a statutory instrument to amend the NIS Regulations and Commission Implementing Regulation 151/2018.

4.2 The proposal is to revoke Article 4 from the UK retained version of Commission Implementing Regulation 151/2018 (which sets out the thresholds) and allow the Information Commissioner’s Office, as the Competent Authority for digital service providers, to set the thresholds at a more appropriate level through guidance. The Information Commissioner’s Office has agreed to subject the new thresholds that they will propose to further consultation with relevant digital service providers.

4.3 Having the incident reporting thresholds in guidance is consistent with the approach taken by other NIS competent authorities in the UK, and will allow the Information Commissioner’s Office to develop thresholds that are appropriate and proportionate to the UK.

5. Questions

1.Which of the following are you responding as or on behalf of?

A.Competent Authority (CA)

B.Operator of Essential Service (OES)

C.Relevant Digital Service Provider (RDSP)

D.Other (Please specify)

2.(If answering A, B, or C to question 1) Is your organisation in scope of the NIS Regulations?

A.Yes

B.No

C.Don’t know

3.To what extent do you agree or disagree with our proposal to move incident thresholds from legislation to ICO guidance?

(Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)

4.(If answering disagree or strongly disagree to question 3) You said that you disagree/strongly disagree with our proposal. Why do you disagree/strongly disagree? (Choose all that apply)

A.The thresholds should not be moved out of legislation

B.The ICO should not have the power to amend the thresholds without prior consultation

C.The thresholds are currently at an appropriate level

D.Lowering of the thresholds would increase the requirement to report for RDSPs, and may be too demanding

E.Amending the thresholds levels will diverge the regulations away from the EU directive for RDSP reporting requirements

F.Other (Please specify)

The closing date for responses is 23:59 on Friday 27 August 2021.


6. Privacy notice

1. Who is collecting my data?

The Department for Digital, Culture, Media & Sport (DCMS) helps to drive growth, enrich lives and promote Britain abroad.

We protect and promote our cultural and artistic heritage and help businesses and communities to grow by investing in innovation and highlighting Britain as a fantastic place to visit. We help to give the UK a unique advantage on the global stage, striving for economic success.

2. Purpose of this privacy notice

This notice is provided within the context of the changes required by the Article 13 & 14 of EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This notice sets out how we will use your personal data as part of our legal obligations with regard to Data Protection.

DCMS’s personal information charter explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our records.

3. What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

4. What personal data do we collect?

Most of the personal information we collect and process is provided to us directly by you. This includes:

  • Personal identifiers (email address, contact details you choose to share with us)
  • Information on how you use this website. This includes your IP address and analytical cookies.

5. How will we use your data?

We use personal information for a wide range of purposes, to enable us to carry out our functions as a government department. This includes:

  • analysis of responses to the Call for Views
  • to re-contact you (if you provide permission)

To process this personal data, our legal reason for collecting or processing this data is: UK GDPR Art. 6. 1 (e) you have freely given your consent – it will be clear to you what you are consenting to and how you can withdraw your consent. The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DCMS will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DCMS for different purposes, then the legal basis we rely on in each case may not be the same.

7. What will happen if I do not provide this data?

Completion of the Call for Views is optional and you are not required to complete the survey. In addition, you can complete the survey and opt out of providing personal data.

8. Who will your data be shared with?

We will let you know if we are going to share your personal data with other organisations – and whether you can say no. You can ask us for details of agreements we have with other organisations for sharing your information. If you write to us on a subject that is not our policy area, and the response needs to come from another government department, we will transfer your correspondence, including the personal data, to that department. You can also ask us for details of any circumstances in which we can pass on your personal data without telling you. This might be, for example, to prevent and detect crime or to produce anonymised statistics. We won’t make your personal data available for commercial use without your specific permission.

9. How long will my data be held for?

We will only retain your personal data for 2 years in line with DCMS retention policy.

10. Will my data be used for automated decision making or profiling?

We will not normally use your data for any automated decision making. If we need to do so, we will let you know.

11. Will my data be transferred outside the UK and if it is how will it be protected?

We will not send your data overseas. If we need to do so, we will let you know.

12. What are your data protection rights?

You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The Information Commissioner’s Office (ICO) is the supervisory authority for data protection legislation, and maintains a full explanation of these rights on their website

DCMS will ensure that we uphold your rights when processing your personal data.

13. How do I complain?

The contact details for the data controller’s Data Protection Officer (DPO) are:


Data Protection Officer
The Department for Digital, Culture, Media & Sport
100 Parliament Street
London
SW1A 2BQ

Email: DCMSdataprotection@dcms.gov.uk

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.

14. How to contact the Information Commissioner’s Office

If you believe that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. You may also contact them to seek independent advice about data protection, privacy and data sharing.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: www.ico.org.uk Telephone: 0303 123 1113

Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

15. Changes to our privacy notice

We may make changes to this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, DCMS will take reasonable steps to let you know.

This notice was last updated on 31/03/2021