Download the full outcome
Detail of outcome
The main changes the Government proposes to make are clarifying:
- the thresholds required to identify operators of essential services;
- the role of the Competent Authority and how powers may be delegated to agencies;
- that the role of the National Cyber Security Agency is limited to cyber security;
- the expectations on operators within the first year or so; and
- the definitions of Digital Service Providers.
The Government also intends to simplify:
- the incident response regime, to separate incident response procedures from incident reporting procedures; and
- the penalty regime slightly, to reduce the risk of fines in excess of £17m.
The Government believes these changes will provide further reassurance to industry. The Government again reiterates that our approach will remain reasonable, proportionate and appropriate and that the Government and Competent Authorities will work closely with industry to ensure that this legislation will be a success.
Read the full outcome in the Government response above.
The Government also carried out a further targeted consultation on Digital Service Providers. This ran from 26 March 2018 until 29 April 2018 - see below for full details.
Detail of feedback received
The Government received 358 responses to this consultation. These responses showed there was broad support for the Government’s approach and that in the main, the Government’s proposals were thought to be appropriate and proportionate. Respondents also highlighted areas of concern and the Government has attempted to address these through changes to its approach.
More detailed analysis of the responses to the consultation can be found in the accompanying Analysis Paper.
As our reliance on technology grows, the impact of failure in those systems and the opportunities for those who would seek to compromise our systems and data increase. Responding to this threat and ensuring the safety and security of cyberspace is an essential requirement for a prosperous UK economy. We need to secure our technology, data and networks in order to keep our businesses, citizens and public services protected.
The European Commission, in cooperation with Member States, have agreed a Directive with the aim of increasing the security of Network and Information Systems (NIS) within the European Union (EU). The Government supports the aims of the Directive and sets out in this consultation the proposed implementation approach in the UK.
The NIS Directive will help make sure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards.
This consultation seeks views from industry, regulators and other interested parties on the Government’s plans to transpose the Directive into UK legislation. It sets out the Government’s proposed transposition approach and asks a series of questions on a range of detailed policy issues relating to transposition.
The consultation covers:
- The essential essential services the directive needs to cover
- The penalties
- The competent authorities to regulate and audit specific sectors
- The security measures we propose to impose
- Timelines for incident reporting
- How this affects Digital Service Providers
You can respond to the consultation online here, or via the other ways set out in the consultation document.
The consultation closed at 11:45pm on 30 September 2017.
Targeted Consultation on Digital Service Providers
In the Government’s response to the public consultation on its proposals to implement the Security of Network and Information Systems Directive (the “NIS Directive”), DCMS committed to carry out a further targeted consultation on how the NIS Directive will apply to Digital Service Providers (DSPs) in the UK. This targeted consultation would take place once the European Commission’s Implementing Regulation for Digital Service Providers was published. The Implementing Regulation was published in the Official Journal of the European Union on 30 January 2018 and can be found on the EUR-LEX website.
DCMS therefore carried out this further targeted consultation during March and April 2018. The consultation was aimed at those respondents who indicated a desire to participate in this further consultation in their response to the main public consultation in 2017. The consultation was sent in the form of a PDF attached to an email.
In the interest of transparency, the text of the targeted consultation has been published on this page.
The Government received 12 responses to this consultation. The majority of responses indicated there was broad support for the Government’s overall approach towards digital service providers, but there continued to be uncertainty over exactly who was in scope - particularly in relation to cloud service providers - and that greater clarification was needed on the subject of cost recovery.
The Network and Information Systems Regulations 2018 (NIS Regulations) are now in effect. The Government therefore proposes to use the outcome of this consultation to assist the Information Commissioner’s Office (ICO) in clarifying its guidance to digital service providers. The key areas the Government will look to clarify are:
* How DSPs can more easily identify whether they are within scope of the NIS Regulations;
* How cloud services in particular are defined; and
* How the ICO’s cost recovery process will operate.
Further information is available in the DSP Consultation Response document below.