Happy 2nd Birthday, NIS Regs… and now time for a review

The UK Government has published its two-year review of the Network and Information Systems Regulations 2018 (the “Regulations”), as required in the Regulations themselves. The review found that, while the Regulations have been generally effective so far, there is still room for improvement.

Background

The Regulations implement the EU’s NIS Directive (2016/1148) and aim “to improve the security of network and information systems” of Operators of Essential Services (“OESs”) in the transport, energy, water, health and digital infrastructure sectors, and of relevant Digital Service Providers (“RDSPs”) of cloud computing services, online marketplaces, and online search engines.

What is going well?

• Organisations are taking measures “to ensure the security of their networks and information systems”, which should help to reduce their risk profile.
• OESs also commented that the Regulations have “brought cyber security to the fore at board level”. Unsurprisingly, cyber security was already highly prioritised in RDSPs, but the majority still noted that the Regulations had led to improvements in understanding and standards.
• Although net costs from implementing the Regulations were generally higher than originally estimated in 2018, the review commented that “the additional expenditure on security is an indication that organisations in scope are positively engaging with the requirements of the Regulations.”

Areas for improvement

Despite this progress, “[t]here remains a significant threat to the sectors in the scope of the Regulations.” Areas for improvement included: additional cost recovery powers of competent authorities; more clarity and certainty in the enforcement regime (to-date there have been no large fines); and a more efficient and transparent appeal system.

It was felt that, in some cases, the Regulations brought too many small businesses within their scope, while also failing to cover some organisations that are critical to the provision of essential services. Meanwhile, incident reporting thresholds may be too high, as few incidents have been reported.

Supply chain cyber risk (for example, cyber attacks on the ‘weak link’ in an interconnected supply chain) was widely highlighted as an issue. The review called for more governmental guidance and advice (e.g. standard contractual clauses and supplier questionnaires), and possibly regulatory action, as part of its forthcoming wider review of cyber security.

How does the UK compare to other Member States?

The review referred to the EU Commission’s 2019 report which assessed the NIS Directive’s implementation across the EU, and to the UK’s Explanatory Memorandum on this. It highlighted, for example, that the UK’s regime brought a more limited number of sectors in-scope than many other Member States (a key difference being the UK’s decision to exclude the financial services sector when implementing the NIS Directive). However, the UK’s maximum penalty of £17 million is higher than most other Member States. The first full report by the Commission into the overall functioning of the NIS Directive is officially due by 9 May 2021, although there have been recent reports that the Commission’s review will be carried out this year.

What next?

The review notes that the Regulations should “remain flexible and able to adapt to the constantly-changing circumstances.” There are likely to be public consultations on the areas highlighted for improvement, with amendments largely by statutory instrument. The next review is recommended for five years’ time.

The review also confirms that the (EU) NIS Directive will no longer apply to the UK post-31 December 2020 (i.e. the end of the Brexit transition period) although an amended version of the (UK) Regulations will continue in force. This will particularly impact the UK’s RDSPs with a European presence or who offer services into the EU, as they may need to designate an EU representative (described recently in the Commission’s notice of 26 May 2020).