Changes coming to NIS regime sanctions

Changes to the NIS regime are one step closer as the Government publishes its response to its summer consultation

The NIS regime aims to make the EU’s (and UK’s) essential services in sectors such as transport, energy and certain digital services more secure and resilient by improving the security of their network and information systems. It has been in force for over 2 years and is now subject to review at both UK and EU level.

Call for views

In August 2020 the UK Government published a call for views on a proposed statutory instrument to amend the UK’s NIS Regulations in a range of areas. The proposed changes included:

- greater powers for competent authorities around information sharing, inspections and service of information notices;

- strengthening the enforcement regime – e.g. enabling fines to be issued without an enforcement notice having been issued first, and new civil powers to ensure compliance with enforcement notices;

- amending the penalty regime – revising the penalty band criteria (although the £17m, £8.5m and £1m penalty figures remain) and introducing a two-step process where competent authorities serve a notice of intention to impose a penalty before making a final decision through a penalty notice. As with the current ICO/GDPR fines, this would allow operators of essential services and relevant digital service providers to submit representations on the proposed penalty before the formal fine is issued;

- introducing a new statutory appeals process (via the First-tier Tribunal);

- extending the timelines for reviews of the regime to five years;

- changing the in-scope criteria and thresholds for operators in the energy and digital infrastructure sectors and adding an obligation on operators of essential services to notify their competent authority if they believe they no longer fit the criteria to fall in scope of the NIS regime;

- a new requirement for operators of essential services established outside the UK to nominate a representative in the UK (and for more information on the current rules around this for digital service providers, see our blog); and

- confirmation that notification of "incidents" (for example, a cyber attack which impacts a relevant IT system) to the relevant competent authority must be in writing.

Consultation response

The responses to this consultation process were said to be largely positive, although they did identify a number of issues with the proposals which the Government addressed in its response (published on 9 November 2020). These included the need for:

- changes to the proposals around information sharing, information notices and audits to limit their scope and build in requirements of reasonableness and proportionality. For example, in relation to information notices, the Government planned to expand the grounds for information notices to ensure that the relevant regulators (competent authorities) have access to the information they need to understand the threats in their sector. However, it was felt that the proposals were too broad and placed an unfair burden on operators of essential services and relevant digital service providers. They have therefore been amended so that regulators/authorities must act reasonably and have reasonable grounds to request information, and that the information requested must be pertinent;

- clear guidance around the penalty regime. While the Government’s response recognised this, it simply confirmed that the competent authorities already have a duty to issue such guidance and that it is appropriate that such guidance is delivered via that medium; and

- further operational changes around the enforcement and penalty regime to support the principle of requiring representations from operators of essential services and digital services providers before a decision around enforcement is reached.

Comment

The NIS regime is still fairly new and this May’s Post-Implementation Review (which looked at how effective it had been in achieving its original objective of improving security standards across critical UK sectors) confirmed that it is too early to judge its long-term impact. However, to-date it has been largely overshadowed by the GDPR. The fact that the Government is looking to make changes to “improve the implementation of the NIS Regulations” including strengthening the enforcement and penalty regimes, and that organisations (and regulators) should have more time to focus on the regime now that GDPR implementation programmes are bedding down, mean we are now likely to see an increased focus in this area.