Network and Information Systems (EU Exit) (Amendment) Regulations 2021

Considered in Grand Committee

Moved by

That the Grand Committee do consider the Network and Information Systems (EU Exit) (Amendment) Regulations 2021.

My Lords, these regulations were laid in draft before the House on 26 October. They will make important rectifications to the UK’s network and information systems legislation, which helps maintain the security of key digital services on which British people and businesses rely. Their purpose is to ensure that the Information Commissioner’s Office, in its role as competent authority for digital service providers, is kept informed of serious cyber events that affect digital service providers, comprising online marketplaces, online search engines and cloud computing services.

Before I turn to the provisions set out in this instrument, I will set the scene for the proposals it contains. The Network and Information Systems Regulations implemented the European Union’s security of network and information systems directive of 2016. As a result of our departure from the European Union, certain deficiencies have arisen in the relevant legislation retained under the provision of the European Union (Withdrawal) Act 2018, which this instrument seeks to rectify.

The purpose of the Network and Information Systems Regulations, or NIS regulations for short, is to improve and maintain the security and resilience of essential services, such as transport or energy, within the UK, as well as certain digital service providers. The NIS regulations work by compelling operators of essential services and digital service providers to undertake measures to protect the network and information systems on which their essential or digital services rely from failure through either cyberattack or physical faults.

The NIS regulations are overseen by 12 competent authorities, which act as regulators for essential and digital services across six sectors. Organisations in scope of the NIS regulations must fulfil certain duties, such as having appropriate measures to protect their services and, critically, reporting cybersecurity incidents that have a substantial impact on their services to their competent authority.

Digital service providers, which form one of these six sectors, are regulated by the Information Commissioner, who acts as the competent authority. In other sectors, the factors and incident reporting thresholds, which determine what constitutes a “substantial impact” for the purposes of reporting, are set out in guidance published by the relevant competent authority.

Under the original EU directive and the UK’s subsequent implementation, digital services are treated differently from essential services. They were regulated at an EU level, with one country taking responsibility for the activities of an individual digital service provider across the whole of the European Union. For this reason, the factors to be taken into account when determining whether an incident had a substantial impact for the purpose of reporting were not left to member states but set out in the Commission’s implementing regulation, which applied across the EU market. When an incident reaches this threshold, it must be reported to the relevant competent authority, which regulates that provider on behalf of the European Union.

There are also other minor textual amendments to the NIS legislation resulting from our departure from the EU, such as those that require digital service providers to consider the geographical impact of an incident across the UK, rather than across the EU. The amendments in the instrument are made using the power in Section 8 of the EU withdrawal Act. As the Committee will be aware, such provisions allow only for changes to be made to rectify EU-related deficiencies and not to implement policy changes.

I am content that these changes do not implement a new policy; rather, they make good on a requirement that is already in place—to notify substantial cyber incidents—by ensuring that the thresholds for reporting can be set at a level sustainable for the UK market. The changes do not introduce any new elements to the NIS legislation or make changes to the nature of the duties imposed on digital service providers.

I am certain that the Committee will recognise the significance of supporting the security of digital services for our society—from ensuring that people are able to use the internet securely to protecting the critical digital services that underpin the functioning of our economy.

Having the right legislative framework for deterring those who aim to compromise our systems and providing the necessary tools to help those who become victims of such compromises is vital. Without knowledge of such incidents, we cannot act: regulators and experts cannot provide much-needed support and guidance and we cannot inform others of impending threats.

In summary, the primary purpose of this instrument is to remove the incident reporting thresholds for digital service providers operating in the UK from legislation, allowing the thresholds instead to be set by the Information Commissioner in guidance at a level suitable for the UK economy.

The amendments are small, but nonetheless important to the functioning of our legislative framework. They ensure that the intended objective is achieved, that the policy is better implemented and that regulators have the tools to protect key digital services across our economy. As a result of these changes, the effectiveness of the network and information systems legislation to protect digital service providers will be retained. I commend these regulations to the Grand Committee.

My Lords—well, my Lord—the Minister will be pleased to know that I do not have a lot that I want to say. As I understand it, this SI makes a couple of small changes, as the Minister has said, to retained EU law regulating the security of network and information systems of core UK service providers to reflect that fact that we are no longer part of the pan-EU regulatory regime.

I have just one or two questions. Why, given that the transition period ended almost a year ago, are we debating these changes only at the end of November 2021? While this may not have been day-one critical, one would have hoped that these kinds of cybersecurity issues would have been a priority for the DCMS.

The Government are lowering the reporting thresholds when relevant cyber incidents occur in an attempt to ensure that the Information Commissioner is sighted on them. Can the Minister confirm whether DCMS knows of any incidents occurring earlier in the year that did not meet the current threshold that would have met the revised one had it been in place?

When we discussed amendments to EU-derived regulations for video-on-demand providers in the past, the department conceded that our departure from the EU meant that we had no formal jurisdiction over most of the main players, which were generally registered on the continent. Is there a similar situation with some of the digital service providers or is this not a concern currently?

The Explanatory Memorandum, which I found very clear and helpful, shows that most of the costs associated with the change will fall on the Information Commissioner’s Office. Our understanding is that the Information Commissioner is working well as a regulator, but of course with expanded responsibilities comes the need for greater resourcing. Is DCMS comfortable that the commissioner has enough staff and wider resource to complete these duties?

My Lords, I am grateful to the noble Lord for his questions and helpful comments on the impact assessment. He asked why we are doing this now and not sooner. The issue that I outlined at the beginning was not identified as a deficiency until last year, when the Information Commissioner raised concerns over incident thresholds with DCMS—that is why we have brought forward the statutory instrument at her recommendation and in consultation with the ICO.

The noble Lord asked about the ICO’s resources. We are confident that it has the resources, but we will maintain close dialogue with her to keep that under review. We have a continuing relationship with the EU. The matters here obviously cross international boundaries and, despite leaving the European Union, we continue to work with our European neighbours and other international partners on issues such as this. But obviously we have no obligation to implement the new directive that the EU is bringing forward. We are monitoring developments in the EU to assess any impacts that those changes might have.

I am afraid I missed the noble Lord’s second question, but the note I have been handed reminds me that it was on digital service providers. There is now a requirement for non-UK digital service providers to register with the Information Commissioner. As I say, there will be a divergence from EU regulations, but we will continue to follow a similar approach. I hope that answers the questions that he outlined and, on that basis, I commend the regulations to the Committee.

Motion agreed.

Committee adjourned at 7.37 pm.