This article was first published on Lexis®PSL TMT on 31 May 2018. Click for a free trial of Lexis®PSL.
TMT analysis: Simon Shooter, partner at Bird & Bird, considers the implications for data centres of the Network and Information Systems Regulations 2018 (NIS Regulations).
Network and Information Systems Regulations 2018, LNB News 23/04/2018 118
SI 2018/506: Provisions are made to establish a legal framework to ensure that essential services and selected digital service providers within the UK put in place adequate measures to improve the security of their network and information systems, with a particular focus on those services which if disrupted, could potentially cause significant damage to the UK’s economy, society and individuals’ welfare; and to ensure serious incidents are promptly reported to the competent authorities. The Regulations will come into force on 10 May 2018.
How do the NIS Regulations apply to data centres?
The NIS Regulations (SI 2018/506) apply principally to entities who qualify the definition of being an Operator of Essential Services (OES) or as a Digital Service Provider (DSP). Against the current UK definitions of OES, it is unlikely that operators of data centres will qualify as OES.
The closest service sector description for OES is digital infrastructure. However, the essential
services affected are domain name systems, domain name system service providers and internet
exchange points. These are network facilities which enable the interconnection of independent
autonomous systems to facilitate the exchange of internet traffic, which provides an interconnection
for autonomous systems, and which does not require the internet traffic passing between two
autonomous systems to pass through a third autonomous system and which does not alter or
otherwise interfere with such traffic—none of which obviously applies to data centres.
It is possible that data centres can qualify as DSPs. A relevant digital service provider is an operator
who provides an online marketplace, an online search engine or cloud computing services.
Discounting the first two service descriptions, the NIS Regulations define cloud computing services
as a ‘digital service that enables access to a scalable and elastic pool of shareable computing
resources’. The Department for Digital, Culture Media & Sport targeted consultation on DSPs added
that the government considers cloud computing services to include:
- infrastructure as a service—the delivery of virtualised computing resource as a service
across a network connection, specifically hardware
- computing infrastructure—delivered as a service
- platform as a service, which are services that provide developers with environments on
which they can build applications that are delivered over the internet, often through a web
- software as a service—provided the resources available to the customer through that
software are changeable in an elastic and scalable way
The government considers services such as email or online storage providers, where the resources
are scalable, may qualify for the definition.
It seems likely, therefore, that data centre operators could qualify as DSPs and become compliance
obliged to the NIS Regulations as they apply to DSPs.
It should be noted that the NIS Regulations do not apply to hardware and software developers or
digital service providers that are considered small and micro businesses, which are companies
employing fewer than 50 people whose annual turnover and/or balance sheet total is less than
While the NIS Regulations themselves are silent on the relevance of the supply chain to OES and
DSPs, the statements made by the Department for Digital, Culture Media & Sport in the consultation
process firmly point to OES and DSPs assuming responsibility for their suppliers having adequate
measures in place to preserve the security of their networks and information systems. We expect
that guidance to be issued by relevant competent authorities will provide more detail on this aspect.
Nevertheless, given the service provided by data centres it is entirely foreseeable that if they provide
services to OES and DSPs they will be contractually required to adopt and maintain adequate
measures which will inevitably mirror those required of their OES and DSP customers.
Accordingly, there are two likely ways in which the NIS Regulations could apply to data centres:
- if the data centre operator qualifies for the definition of DSP
- by being contracted in to compliance by OES and DSP customers
What are the implications of the NIS Regulations for suppliers of data centre services?
Following the above, if a data centre qualifies as a DSP it must identify and take appropriate
measures to manage the risks posed to the security of its networks and information systems. It will
also have to register as a DSP with the Information Commissioner's Office (ICO), the competent
authority designated for DSPs.
The measures must ensure a level of security appropriate to the risk posed, prevent and minimise the impact of incidents affecting its networks and information systems with a view to ensuring continuity of service provision and take account of:
- the security of its systems and facilities
- business continuity management
- incident handling
- monitoring testing and auditing
- compliance with international standards
It must also be able to notify the Information Commissioner without undue delay and in any event
within 72 hours of an incident having a substantial impact on the provision of the digital services,
provided it has access to the necessary information to evaluate the substance of the impact.
If a data centre is contracted into compliance as a supplier, it is likely the contractual obligations will
mirror those detailed above.
The sanctions regime for breach is significant, with competent authorities having rights to serve
information notices, conduct inspections, serve enforcement and penalty notices. The ultimate fine
available under the NIS Regulations is £17,000,000 for a ‘material contravention which the
enforcement authority determines has caused, or could cause, an incident resulting in immediate
threat to life or significant adverse impact on the United Kingdom economy’.
What are the implications of the NIS Regulations for customers of data centre services?
If those customers are OES or DSPs they will have to see how their relevant competent authority
guidance addresses their responsibility for their supply chain. The Department for Digital, Culture
Media & Sport statement referred to above is:
‘It is the government's view that it is the Operator of Essential Service or Digital Service Provider's responsibility to ensure (through
whatever levers or contractual arrangements they have) that their suppliers have in place appropriate measures.’
Are there any grey areas or other significant points to make?
The compliance obligations under the regulations run in parallel and so an entity that qualifies as an
OES and as a DSP will have parallel compliance obligations. The NIS Regulations are additional to
and separable from the GDPR. Accordingly, while there is an expectation of collaboration between
competent authorities there is currently the sobering prospect of double or treble jeopardy with
aggregating fines arising out of a single incident. It is hoped this will be addressed in future
guidance. See ICO Guidance: Guide to NIS – How does NIS relate to the GDPR?
While there are jurisdiction statements in the directive relevant to DSPs which indicate that DSPs will
have to comply with the NISD related enactment of the Member State in which it has its main
establishment, there are no corresponding statements relevant to OES. Accordingly, OES will be
compliance obliged in each Member State where they qualify the relevant definition for OES. It is
also clear that the adoption of the NISD across the Member States is and will be very disparate.
The guidance issued to date, together with the statements made in the consultation process,
suggest a build up to full enforcement that may take place over the next twelve months.