Policy paper

Government response to the call for views on amending the Security of Network and Information Systems Regulations

Published 17 November 2021

This was published under the 2019 to 2022 Johnson Conservative government

1. Introduction

This document sets out the government’s response to the public consultation Call for Views on amending the NIS Regulations in regards to incident reporting thresholds for Relevant Digital Service Providers in scope of the NIS Regulations. It will cover:

  • the background to the Call for Views
  • the summary of the responses
  • a detailed response to the specific questions raised in the consultation

1.1 Contact details

Comments on the government’s response can be sent to:


NIS Directive Team - 4/48
Department for Digital, Culture, Media & Sport
4th Floor
100 Parliament Street
London
SW1A 2BQ

Telephone: 020 7211 6000

Email: nis@dcms.gov.uk

Alternative format versions of this publication can be requested from the address above.

Complaints or comments

If you have any complaints or comments about the consultation process you should contact the NIS Directive Team at the address above.

Freedom of Information

Information provided in the course of this consultation, including personal information, may be published or disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA) and the Data Protection Act 1998 (DPA).

The Department for Digital, Culture, Media and Sport will process your personal data in accordance with the DPA and, in the majority of circumstances, this will mean that your personal data will not be disclosed to third parties. This consultation follows the UK government’s consultation principles.

2. Executive summary

In 2018, the Network and Information Systems (NIS) Regulations came into force. The NIS Regulations cover operators of essential services, and relevant digital service providers. The latter are the focus of this government consultation. Relevant digital service providers cover three categories: online search engines, online marketplaces, and cloud computing services. Their competent authority is the Information Commissioner’s Office (ICO).

Currently, the thresholds for a digital service provider to report a NIS incident are set in legislation at a level deemed appropriate for the EU market. In contrast, operators of essential services have their thresholds set in guidance, which means they can be amended. The thresholds for digital service providers no longer work for the UK now it has left the EU. This is a deficiency in the NIS legislation that needs correcting to ensure there are appropriate levels of reporting of NIS incidents by digital service providers in the UK there is a need for policy intervention to rectify this deficiency.

Section 8(1) of the European Union (Withdrawal) Act 2018 allows the Secretary of State to fix deficiencies in legislation arising from the UK’s exit from the EU via secondary legislation. In July 2021 the government published a Call for Views on a proposed statutory instrument to amend the NIS legislation. The purpose of the Call for Views was to gather public views on the proposals to amend NIS legislation in the area of reporting thresholds for digital service providers.

The government received 91 responses to the Call for Views. The responses were generally positive or neutral towards the proposals. Suggested improvements, constructive comments, or areas of concern have been responded to in this document. The government strongly believes that the proposed changes in this statutory instrument will maintain and enhance the effectiveness of NIS legislation in protecting the security of network and information systems for digital service providers.

3. Consultation statistics

The Call for Views was launched on 26 July 2021, and the deadline for responses was 27 August 2021. In total, there were 91 responses to the Call for Views, with the breakdown of respondents as follows:

  • 18% were Operators of Essential Services (in scope of the NIS Regulations);
  • 26% were Relevant Digital Service Providers (in scope of the NIS Regulations);
  • 4% were competent authorities;
  • 19% were classed as ‘other’; and
  • 31% did not answer this question.
18% of respondents were Operators of Essential Services; 26% were Relevant Digital Service Providers; 4% were competent authorities; 19% were classed as ‘other’; and 31% did not answer this question.

Table 1: Breakdown of the respondent profile.

33 respondents answered if their organisation was under the scope of the NIS Regulations. Of these:

  • 23 were under the scope of NIS; and
  • 10 were not under the scope of NIS.

Respondents were asked two further questions, both of which have their own detailed section below. The first of these asked if respondents agreed with our proposal to move incident thresholds for relevant digital service providers out of legislation and into ICO guidance. The second of these questions expanded further, and asked those respondents who disagreed/strongly disagreed with our proposal to choose from a pre-set list of reasons why, as well as an option for other reasons.

This pie chart shows 23 organisations were under the scope of NIS; and 10 were not under the scope of NIS.

Table 2: Breakdown of respondents answering if their organisation is under the scope of NIS.

4. Outcome of the Call for Views

4.1 Agreement with the proposals

Q3. To what extent do you agree or disagree with our proposal to move incident thresholds from legislation to ICO guidance?

In total 38 respondents provided a response to Q3. Of these responses:

  • 45% of respondents agreed/strongly agreed with the government’s proposal to move the incident thresholds from legislation to ICO guidance;
  • 29% of respondents neither agreed nor disagreed with the government’s proposal to move the incident thresholds from legislation to ICO guidance;
  • 27% of respondents disagreed/strongly disagreed with the government’s proposal to move the incident thresholds from legislation to ICO guidance.
24% of respondents strongly agreed with the Government’s proposals; 21% of respondents agreed; 29% of respondents neither agreed nor disagreed; 24% of respondents disagreed, and 3% strongly disagreed.

Table 3: Summary of responses to Q3: To what extent do you agree or disagree with our proposal to move incident thresholds from legislation to ICO guidance?

Please note that some of the graphs in this document do not always total to exactly 100% due to results being rounded to the nearest one percent.

The results of Q3 suggest that overall, respondents are either in favour of or are ambivalent towards the government’s proposals to move the incident thresholds from legislation to ICO guidance.

Only 1 in 10 respondents actively disagreed with the proposal, suggesting that there is limited opposition overall. However, consideration has been given to all feedback, and this response tackles the main themes emerging from comments that were not supportive below.

4.2 Reasons for disagreement

Q4. You said that you disagree/strongly disagree with our proposal. Why do you disagree/strongly disagree?

7 respondents said thresholds shouldn’t be moved out of law; 6 said ICO should not be able to change thresholds; 5 said current thresholds are correct; 3 cited increased reporting requirements; 3 said it would diverge from EU rules; 2 cited other reasons

Table 4: Breakdown of the number of selected choices for respondents disagreeing with the government’s proposals.

The most frequent reason for respondents disagreeing/strongly disagreeing with the government’s proposal was that the ICO should not have the power to amend the thresholds without prior consultation, with 7 respondents citing this reason. Further written feedback highlighted concerns over the ICO amending the thresholds without any statutory duty to consult.

4.3 Government response

Although there is currently no statutory duty to consult industry on its guidance setting out the thresholds in the government’s proposals, the ICO has confirmed its commitment to regular engagement with industry. This includes consulting on any changes to the thresholds with relevant digital service providers to ensure reporting requirements are not too demanding or burdensome.

Currently, competent authorities do not have any statutory duty to consult with operators of essential services on changes in the guidance for reporting thresholds. However, this is agreed-upon practice and operators of essential services have always been consulted by their competent authorities in order to establish fair and appropriate thresholds for incident reporting. The ICO launched its own consultation on the proposed thresholds on 10th September 2021 with two separate threshold models.

The limited number of respondents citing this as a reason for opposing the proposal also suggests that this is an issue for only a minority of respondents, and this does not reflect the wider sentiment of respondents to the consultation.

The government will continue to work closely with the ICO as the competent authority for relevant digital service providers, and ensure that they consult regularly to ensure that any changes in the level of thresholds for reporting strike a fair balance between reporting requirements and maximising the efficiency of the NIS reporting process.

The second most frequent reason for respondents disagreeing/strongly disagreeing with the government’s proposal was that amending the threshold levels would diverge the UK’s NIS legislation away from the EU’s for reporting requirements, with 6 respondents citing this reason.

4.4 Government response

Whilst the government is aware that allowing the ICO to amend the threshold levels may result in them diverging from the levels set for the EU, it believes this is a necessary risk. The current thresholds are not fit for purpose and do not meet the needs of the UK economy. Very few incidents are currently being reported. The government needs to ensure the NIS legislation is effective on a UK-basis.

The contents of this proposal are not reflective of any political stance on NIS, but instead are reacting to wider changes in the political landscape and implementing appropriate steps to ensure NIS legislation remains effective. The government will continue to work with the EU to maintain cooperation where possible.

The third most popular reason for respondents disagreeing/strongly disagreeing with the government’s proposal was that they disagreed with the thresholds being moved out of legislation, with 5 respondents citing this reason.

4.5 Government response

The core element of the government’s proposal is to remove the reporting thresholds from legislation and place them into guidance issued by the ICO. This will allow the ICO, as competent authority, the power to change the reporting thresholds as it considers appropriate for digital service providers without the need for burdensome updating legislation. This brings the setting of reporting thresholds for digital services providers in line with the approach the NIS Regulations takes for setting thresholds for the operators of essential services (where the competent authorities already do so in guidance). The move to replace legislation with guidance for the ICO does not introduce any new elements or practices to the NIS Regulations above and beyond those of the other competent authorities. In fact it brings the ICO’s regime into line with the approach of other NIS competent authorities.

The small proportion of respondents who disagree with moving the proposals out of legislation is encouraging and suggests that there is limited opposition to moving the thresholds out of legislation.