Partner Simon Shooter summarises the NISR and what DSPs need to know ahead of the deadline of November 1, 2018.
The regulations and who is impacted
Some of you will be familiar with the NISR (Network and Information Systems Regulations), which came into force on 9 May this year and which have been designed to prevent critical national infrastructure of EU countries in case of a cyber attack. These regulations have largely been largely overlooked to date, as many organisations find themselves spending all of their time and money on dealing with GDPR. They impact two key categories of organisations: Operators of Essential Services (OESs) and Digital Service Providers (DSPs). A third category which is likely to be affected - to a lesser degree - is suppliers to these OESs and DSPs who have access to networks and information systems.
How do I know if I qualify as a DSP under NISR?
DSPs under the NISR are defined as either a (i) search engine, (ii) cloud computing service, or (iii) online marketplace. A more detailed explanation of this definition can be found here.
By way of example, in the UK, if you:
- have a head office in the UK or have a nominated UK-based representative; and
- are not a small or micro-business (i.e. a business that employees fewer than 50 people and have an annual turnover of less than 10 million euros);
then you must register with the competent authority, the Information Commissioner's Office (ICO), by 1 November 2018. Looking outside of the UK, you can view our tracker to learn more about the jurisdictional differences across the EU.
What do I need to do to comply?
Once you have registered you then need to look at your compliance obligations. If you pass the threshold in the NISR and qualify as an DSP, the principal requirement is that you must be able to demonstrate that you have taken appropriate and proportionate measures to manage the risks posed to the security of your network and information systems, and that you have such measures in place to prevent and minimise the impact of such an incident. In line with the EU's General Data Protection Regulation (GDPR), DSPs must also report all incidents to the competent authority within 72 hours of becoming aware of them.
A more detailed description of these obligations can be found here.
You can view our series of videos for advice on how to prepare for NISR and view our tracker to learn more about jurisdictional differences.
What happens if I fail to comply?
The penalty for non-compliance varies for each member state. In the UK, significant fines can be levied on businesses depending on the significance and manner of the non-compliance. A 'material contravention' is considered to be the most serious breach, carrying a maximum fine of £17 million, not including the cost of the investigation to determine the cause of the contravention. To find out more about the penalties in various jurisdictions, view our tracker.
The ICO also has a range of enforcement powers, which include:
- the power of inspection;
- issuing enforcement notices to require businesses to take, or refrain from taking, certain steps; and
- requests for information through information notices.
Importantly, businesses that fall under the umbrella of both a DSP and an OES (for example, an airline that also offers consumers the option to purchase insurance and car hire, making it online marketplace and, therefore, a DSP) will need to comply with the NISR in each role, and be subject to dual penalty provisions of non-compliance.
If you would like to hear more about how we can help you, get in touch: our multi-disciplinary cyber security team, led by Simon Shooter, would be delighted to assist and to provide advice on registration and compliance.