Partner Simon Shooter summarises the NISR and what DSPs need to know ahead of the deadline of November 1, 2018.
Some of you will be familiar with the NISR (Network and Information Systems Regulations), which came into force on 9 May this year and which have been designed to prevent critical national infrastructure of EU countries in case of a cyber attack. These regulations have largely been largely overlooked to date, as many organisations find themselves spending all of their time and money on dealing with GDPR. They impact two key categories of organisations: Operators of Essential Services (OESs) and Digital Service Providers (DSPs). A third category which is likely to be affected - to a lesser degree - is suppliers to these OESs and DSPs who have access to networks and information systems.
then you must register with the competent authority, the Information Commissioner's Office (ICO), by 1 November 2018. Looking outside of the UK, you can view our tracker to learn more about the jurisdictional differences across the EU.
Once you have registered you then need to look at your compliance obligations. If you pass the threshold in the NISR and qualify as an DSP, the principal requirement is that you must be able to demonstrate that you have taken appropriate and proportionate measures to manage the risks posed to the security of your network and information systems, and that you have such measures in place to prevent and minimise the impact of such an incident. In line with the EU's General Data Protection Regulation (GDPR), DSPs must also report all incidents to the competent authority within 72 hours of becoming aware of them.
A more detailed description of these obligations can be found here.
You can view our series of videos for advice on how to prepare for NISR and view our tracker to learn more about jurisdictional differences.
Importantly, businesses that fall under the umbrella of both a DSP and an OES (for example, an airline that also offers consumers the option to purchase insurance and car hire, making it online marketplace and, therefore, a DSP) will need to comply with the NISR in each role, and be subject to dual penalty provisions of non-compliance.
If you would like to hear more about how we can help you, get in touch: our multi-disciplinary cyber security team, led by Simon Shooter, would be delighted to assist and to provide advice on registration and compliance.