My Lords, these regulations were laid in draft before the House on 26 October. They will make important rectifications to the UK’s network and information systems legislation, which helps maintain the security of key digital services on which British people and businesses rely. Their purpose is to ensure that the Information Commissioner’s Office, in its role as competent authority for digital service providers, is kept informed of serious cyber events that affect digital service providers, comprising online marketplaces, online search engines and cloud computing services.
Before I turn to the provisions set out in this instrument, I will set the scene for the proposals it contains. The Network and Information Systems Regulations implemented the European Union’s security of network and information systems directive of 2016. As a result of our departure from the European Union, certain deficiencies have arisen in the relevant legislation retained under the provision of the European Union (Withdrawal) Act 2018, which this instrument seeks to rectify.
The purpose of the Network and Information Systems Regulations, or NIS regulations for short, is to improve and maintain the security and resilience of essential services, such as transport or energy, within the UK, as well as certain digital service providers. The NIS regulations work by compelling operators of essential services and digital service providers to undertake measures to protect the network and information systems on which their essential or digital services rely from failure through either cyberattack or physical faults.
The NIS regulations are overseen by 12 competent authorities, which act as regulators for essential and digital services across six sectors. Organisations in scope of the NIS regulations must fulfil certain duties, such as having appropriate measures to protect their services and, critically, reporting cybersecurity incidents that have a substantial impact on their services to their competent authority.
Digital service providers, which form one of these six sectors, are regulated by the Information Commissioner, who acts as the competent authority. In other sectors, the factors and incident reporting thresholds, which determine what constitutes a “substantial impact” for the purposes of reporting, are set out in guidance published by the relevant competent authority.
Under the original EU directive and the UK’s subsequent implementation, digital services are treated differently from essential services. They were regulated at an EU level, with one country taking responsibility for the activities of an individual digital service provider across the whole of the European Union. For this reason, the factors to be taken into account when determining whether an incident had a substantial impact for the purpose of reporting were not left to member states but set out in the Commission’s implementing regulation, which applied across the EU market. When an incident reaches this threshold, it must be reported to the relevant competent authority, which regulates that provider on behalf of the European Union.