Ofcom has updated its guidance for those in the digital infrastructure subsector who are caught by The Network and Information Systems Regulations (the “NIS Regulations”).
The NIS Regulations set out measures to “boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of essential services”. In the digital infrastructure subsector this includes top level domain name registries/services, domain name system services, and internet exchange points.
Ofcom’s updated guidance reflects changes made to the NIS Regulations on 31 December 2020, following a Government review last June. It sets out the immediate steps Ofcom expects operators of essential services (‘OES’) in the digital infrastructure subsector to take (as a minimum) to meet their obligations, and Ofcom’s expected approach to its functions, under the amended NIS Regulations.
Some key changes addressed in the guidance include:
1. Notifications to Ofcom must be in writing: An organisation has an obligation to notify Ofcom if it is an OES in scope of the regime (or believes it has dropped out of the relevant thresholds) and/or if it has suffered an incident which has “a significant impact on the continuity of the essential service which that OES provides” and both of these notifications must now be in writing.
2. Designations of OES’: The updated guidance explains that:
(a) the threshold requirements for designation as an OES now applies irrespective of place of establishment;
(b) there is a new (linked) duty on OES' whose head offices are outside the UK to notify Ofcom of a “nominated person” in the UK with the authority to act on its behalf; and
(c) the December changes to the NIS Regulations included changes to the OES’ threshold requirements in the digital infrastructure subsector. Organisations who are now either in, or out, of scope have 3 months (i.e. until 31 March) to notify Ofcom of this fact.
3. Expanded powers for Ofcom: The updated guidance discusses Ofcom’s additional powers in areas such as information sharing, inspections, and information and enforcement notices. This includes the ability to bring civil proceedings in certain circumstances – for example for an injunction where an OES has failed to comply with the requirements of an enforcement notice.
4. Penalties and appeals: The guidance explains the updated penalties regime and appeals process. This includes the ability to issue a notice of intention to impose a penalty before making a final decision through a penalty notice, and an obligation to bring an appeal within 28 days.
Ofcom has stated that guidance “has the benefit of contributing to effective regulation by improving transparency and understanding”. It has published its updated guidance now but has acknowledged that further updates to the guidance may be required in the future as it engages with the NCSC, and the Department of Digital, Culture, Media & Sport (as well as other regulators).
Many thanks to Beatrice Pignatelli for her research assistance in preparing this post.