The Network and Information Systems Regulations 2018 — implications for data centres

By Simon Shooter

06-2018

This article was first published on Lexis®PSL TMT on 31 May 2018. Click for a free trial of Lexis®PSL.

TMT analysis: Simon Shooter, partner at Bird & Bird, considers the implications for data centres of the Network and Information Systems Regulations 2018 (NIS Regulations).

Original news

Network and Information Systems Regulations 2018, LNB News 23/04/2018 118

SI 2018/506: Provisions are made to establish a legal framework to ensure that essential services and selected digital service providers within the UK put in place adequate measures to improve the security of their network and information systems, with a particular focus on those services which if disrupted, could potentially cause significant damage to the UK’s economy, society and individuals’ welfare; and to ensure serious incidents are promptly reported to the competent authorities. The Regulations will come into force on 10 May 2018.


How do the NIS Regulations apply to data centres?

The NIS Regulations (SI 2018/506) apply principally to entities who qualify the definition of being an Operator of Essential Services (OES) or as a Digital Service Provider (DSP). Against the current UK definitions of OES, it is unlikely that operators of data centres will qualify as OES.

The closest service sector description for OES is digital infrastructure. However, the essential services affected are domain name systems, domain name system service providers and internet exchange points. These are network facilities which enable the interconnection of independent autonomous systems to facilitate the exchange of internet traffic, which provides an interconnection for autonomous systems, and which does not require the internet traffic passing between two autonomous systems to pass through a third autonomous system and which does not alter or otherwise interfere with such traffic—none of which obviously applies to data centres.

It is possible that data centres can qualify as DSPs. A relevant digital service provider is an operator who provides an online marketplace, an online search engine or cloud computing services. Discounting the first two service descriptions, the NIS Regulations define cloud computing services as a ‘digital service that enables access to a scalable and elastic pool of shareable computing resources’. The Department for Digital, Culture Media & Sport targeted consultation on DSPs added that the government considers cloud computing services to include:

  • infrastructure as a service—the delivery of virtualised computing resource as a service across a network connection, specifically hardware
  • computing infrastructure—delivered as a service
  • platform as a service, which are services that provide developers with environments on which they can build applications that are delivered over the internet, often through a web browser
  • software as a service—provided the resources available to the customer through that software are changeable in an elastic and scalable way

The government considers services such as email or online storage providers, where the resources are scalable, may qualify for the definition.

It seems likely, therefore, that data centre operators could qualify as DSPs and become compliance obliged to the NIS Regulations as they apply to DSPs.

It should be noted that the NIS Regulations do not apply to hardware and software developers or digital service providers that are considered small and micro businesses, which are companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10m.

While the NIS Regulations themselves are silent on the relevance of the supply chain to OES and DSPs, the statements made by the Department for Digital, Culture Media & Sport in the consultation process firmly point to OES and DSPs assuming responsibility for their suppliers having adequate measures in place to preserve the security of their networks and information systems. We expect that guidance to be issued by relevant competent authorities will provide more detail on this aspect. Nevertheless, given the service provided by data centres it is entirely foreseeable that if they provide services to OES and DSPs they will be contractually required to adopt and maintain adequate measures which will inevitably mirror those required of their OES and DSP customers.

Accordingly, there are two likely ways in which the NIS Regulations could apply to data centres:

  • if the data centre operator qualifies for the definition of DSP
  • by being contracted in to compliance by OES and DSP customers
What are the implications of the NIS Regulations for suppliers of data centre services?

Following the above, if a data centre qualifies as a DSP it must identify and take appropriate measures to manage the risks posed to the security of its networks and information systems. It will also have to register as a DSP with the Information Commissioner's Office (ICO), the competent authority designated for DSPs.

The measures must ensure a level of security appropriate to the risk posed, prevent and minimise the impact of incidents affecting its networks and information systems with a view to ensuring continuity of service provision and take account of:

  • the security of its systems and facilities
  • business continuity management
  • incident handling
  • monitoring testing and auditing
  • compliance with international standards

It must also be able to notify the Information Commissioner without undue delay and in any event within 72 hours of an incident having a substantial impact on the provision of the digital services, provided it has access to the necessary information to evaluate the substance of the impact.

If a data centre is contracted into compliance as a supplier, it is likely the contractual obligations will mirror those detailed above.

The sanctions regime for breach is significant, with competent authorities having rights to serve information notices, conduct inspections, serve enforcement and penalty notices. The ultimate fine available under the NIS Regulations is £17,000,000 for a ‘material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in immediate threat to life or significant adverse impact on the United Kingdom economy’.

What are the implications of the NIS Regulations for customers of data centre services?

If those customers are OES or DSPs they will have to see how their relevant competent authority guidance addresses their responsibility for their supply chain. The Department for Digital, Culture Media & Sport statement referred to above is:

‘It is the government's view that it is the Operator of Essential Service or Digital Service Provider's responsibility to ensure (through whatever levers or contractual arrangements they have) that their suppliers have in place appropriate measures.’

Are there any grey areas or other significant points to make?

The compliance obligations under the regulations run in parallel and so an entity that qualifies as an OES and as a DSP will have parallel compliance obligations. The NIS Regulations are additional to and separable from the GDPR. Accordingly, while there is an expectation of collaboration between competent authorities there is currently the sobering prospect of double or treble jeopardy with aggregating fines arising out of a single incident. It is hoped this will be addressed in future guidance. See ICO Guidance: Guide to NIS – How does NIS relate to the GDPR?

While there are jurisdiction statements in the directive relevant to DSPs which indicate that DSPs will have to comply with the NISD related enactment of the Member State in which it has its main establishment, there are no corresponding statements relevant to OES. Accordingly, OES will be compliance obliged in each Member State where they qualify the relevant definition for OES. It is also clear that the adoption of the NISD across the Member States is and will be very disparate.

The guidance issued to date, together with the statements made in the consultation process, suggest a build up to full enforcement that may take place over the next twelve months.

 

Authors