Policy paper

Call for views on amending the NIS regulations 2018

Updated 9 November 2020

1. How to respond

This document sets out the Government’s approach following the recommendations made in the 2020 Post-Implementation Review of the NIS Regulations, published in May 2020, and our proposed legislative changes based on the findings of the Review.

1.1 Responses

By Online Survey

Respondents are invited to provide answers to these questions using the online survey tool here:

Respond to the call for views here.

Respondents are welcome to only answer questions relevant to them. Supporting evidence should be submitted directly to nis@dcms.gov.uk. Partial responses will be recorded and included in the analysis.

By Post

Hard copy responses can be sent to:

NIS Directive Team
Department for Digital, Culture, Media & Sport
4th Floor
100 Parliament Street
London
SW1A 2BQ

By Email

Alternatively, respondents can download and populate the feedback form on the main page and email responses directly to nis@dcms.gov.uk.

When responding, please clarify:

• if you are responding on behalf of an organisation or in a personal capacity which questions you are answering (there is no need to respond to all of the questions if they are not all relevant to you)
• whether you are willing to be contacted (if so, please provide contact details), and
• whether you prefer for your response to remain confidential and non-attributable (if so, please specify).

All responses should be submitted in advance of the closing date for this Call for Views, which is at 23:59 on 25 September 2020.

2. Executive summary

The Network and Information Systems Regulations 2018 (NIS Regulations) came into force on 10 May 2018 and are aimed at improving the level of security of organisations that provide essential services to the UK, as well as some digital services. The NIS Regulations apply to operators of essential services in the transport, energy, water, health, and digital infrastructure services as well as to online marketplaces, online search engines, and cloud computing services (as digital service providers). The implementation and enforcement of the NIS Regulations is the responsibility of designated competent authorities, and this regulatory activity is further supported by the UK’s national technical authority, the National Cyber Security Centre.

This work is part of the Government’s £1.9 billion 2016 National Cyber Security Strategy to protect the UK in cyber space and make the UK the safest place to live and work online.

In May 2020, the Government published its first Post-Implementation Review of the NIS Regulations. The review’s purpose was to evaluate how effective the NIS Regulations have been in achieving their original objective of improving security standards across critical UK sectors. The review showed that whilst it is still too early to judge the long term impact of the NIS Regulations, organisations in scope are beginning to take steps to improve the security of their network and information systems and that the NIS Regulations are having a positive effect. The Post-Implementation Review also identified several areas of improvement to the NIS Regulations requiring policy interventions from the Government, which would enhance their overall efficiency. These relate primarily to introducing an independent appeals mechanism, changes to regulatory authorities’ enforcement powers, expanded information-sharing provisions, amendments to the designation thresholds, refining the application of penalties, and other technical and operability changes.

The Government has worked to develop these proposals to improve the functioning of the NIS Regulations and this Call for Views is seeking feedback from industry, particularly from organisations in scope of the NIS Regulations, on the initial draft of the legislation.

PLEASE NOTE: This consultation is limited to how the UK proposes to introduce further amendments to the NIS Regulations; the Government has already consulted more widely on other aspects of the implementation of the NIS Regulations (see section below).

2.1 Previous consultations

The UK held a public consultation from August to September 2017 on its proposals to implement the NIS Directive. This consultation covered six main topics:

• how to identify essential services
• a national framework to manage implementation
• the security requirements for operators of essential services
• the incident reporting requirements for operators of essential services
• the requirements on Digital Service Providers, and
• the proposed penalty regime.

The Government received over 350 responses to this consultation. These responses showed that there was broad support for the Government’s approach, and for the decision to continue to apply the NIS Regulations after the UK’s exit from the EU. The Government’s response to the public consultation was published on 29 January 2018. Subsequent to the Government’s response, the European Commission adopted an Implementing Act (as required under Article 16(8) of the NIS Directive), which was published in the Official Journal of the European Union on 30 January 2018 (and entered into force 20 days later). It can be found on the EUR-LEX website.

In March 2018, the Government published a targeted consultation on the implementation of the NIS Regulations for digital service providers. The consultation covered six main topics:

• definitions of digital service providers
• security measures
• incident reporting
• digital service providers that serve operators of essential services
• digital service providers that are also operators of essential services, and
• costs.

These responses indicated there was support for the Government’s overall approach towards digital service providers, but there continues to be uncertainty over exactly who is in scope, and greater clarification was needed on the subject of cost recovery. The Government’s response to the targeted consultation was published on 31 August 2018.

In March 2019, the Government published an open call for views that sought comments on an amendment to the NIS Regulations to include a new requirement following the UK’s departure from the EU. Under this requirement, a digital service provider whose head office is not in the UK but which offers services in the UK will have to designate a representative in the UK and comply with our domestic NIS framework. This requirement mirrors a requirement in the NIS Directive that affects digital service providers established in the UK but which offer services in the EU.

The Statutory Instrument^{[footnote 1]} which introduces this requirement has been made and laid, and will come into effect twenty days after the end of the Transition Period. The Government’s response to the call for views was published on 24 July 2019.

3. The Government’s proposal

The Government is proposing to lay a Statutory Instrument to amend the NIS Regulations. A Keeling Schedule (an example of the final legislation with all changes incorporated) has been provided to help identify the new proposals and visualise the legislation.

This Statutory Instrument will implement various changes as a result of the Government’s findings from the Post-Implementation Review. The Government considers that these policy interventions will help strengthen the application of the NIS Regulations and allow competent authorities to carry out their implementation duties more effectively while improving clarity and transparency for organisations in scope.

In the longer term, the Government considers that these amendments will bring improvements to the UK’s overall cyber resilience (as much as it is covered by the present framework) and strengthen confidence in the regulations. The Government has identified several policy areas which we are proposing to amend. Please note these below, including with references to where these changes are proposed in the text of the instrument. Each section contains the exact provision these changes refer to, in the following format:

regulation […] of the draft Statutory Instrument, amending regulation […] of the NIS Regulations 2018.

We encourage participants to review the Call for Views, draft legislation, and Keeling Schedule in full before answering any of the questions posed in Section 4 as not all proposed amendments (e.g. technical or operational drafting changes) have questions attached to them.

3.1 Information-sharing powers

• regulation 4 amending regulation 6 (information sharing - enforcement authorities)

Competent authorities have an obligation to cooperate with other competent authorities and with law enforcement authorities. In order to clarify how information will be shared, this Statutory Instrument introduces information-sharing provisions, providing further clarification as to how competent authorities can share information with each other and with law enforcement authorities for regulatory and national security purposes, and for the purpose of criminal proceedings and investigations.

These provisions will ensure that information is shared in a manner that is appropriate and proportionate for the implementation of the NIS Regulations.

3.2 Amendments to the provision of Information Notices

• regulation 11 amending regulation 15 (information notices)

Competent authorities use incident reports to identify priority areas to ensure that the Government is focusing its resources and support in the most impactful way. For this reason, operators of essential services and relevant digital service providers are encouraged to report incidents voluntarily either to the competent authorities or to the National Cyber Security Centre.

In order to ensure that competent authorities have access to information needed to understand the threats affecting their sector, this Statutory Instrument will expand the grounds for information notices to establish whether there have been any events that had an adverse effect on networks or information systems.

This amendment will allow competent authorities to have more effective tools to address regulatory requirements for each sector. Expanding the grounds for information notices will also allow competent authorities to identify failures to comply with the duties in the NIS regulations and is needed to ensure that they have access to relevant information in relation to breaches, in order to make informed decisions before proceeding to enforcement or penalty action.

This primary purpose of this provision will be to obtain information that is reasonably required for competent authorities to carry out different aspects of their role under the NIS Regulations (e.g. focusing on breaches that have already materialised as opposed to potential breaches). These amendments maintain the original policy intention of the information notice but expand its application to support the wider regulatory regime.

3.3 Powers of Inspection

• regulation 12 amending regulation 16 (power of inspection)

The Government proposes the above amendments to regulation 16 to improve and provide further clarification and transparency to NIS inspections, in addition to setting out more clearly what powers are available to inspectors.

These proposals are tailored to the NIS Regulations but remain consistent in their intention and application with other similar legislation; they are aimed at both ensuring that inspectors have appropriate and proportionate powers to carry out NIS functions but also to ensure that all parties involved benefit from more explicit provisions setting out how inspections may function. Finally, these changes include the addition of powers to conduct tests that would be required to make informed assessments as to an operator of essential services / relevant digital service provider’s levels of security of network and information systems.

3.4 Strengthening the enforcement regime

• regulation 13 amending regulation 17 (enforcement for breach of duties)
• regulation 16 introducing regulation A20 (enforcement by civil proceedings)

Competent authorities must have a diverse toolset at their disposal to implement the NIS Regulations, accounting for the diversity in the sectors in scope. The use of financial penalties might not be an appropriate solution in every situation or the most effective lever to drive desired behaviours. For this reason, this Statutory Instrument introduces new provisions that will allow competent authorities to initiate civil proceedings to ensure compliance with enforcement notices served under regulation 17, expanding the toolset available to competent authorities and moving away from using penalties as the ultimate measure to drive change.

The intention of the NIS Regulations is to ensure that operators of essential services and relevant digital service providers are cyber-resilient, which is why it is important for competent authorities to be able to ensure compliance with enforcement notices. To this end, the Statutory Instrument further clarifies that operators of essential services and relevant digital service providers must comply with enforcement notices; this is also regardless of whether they have complied with any imposed penalty notice.

The Statutory Instrument also clarifies an existing provision that competent authorities may serve multiple enforcement notices in scenarios where it would be appropriate to serve more than one (e.g. when the competent authority needs to address more than one breach simultaneously). This is to ensure clarity and avoid possible misinterpretation. Moreover, the grounds for which an enforcement notice may be served have been expanded to reflect the new requirements introduced by this Statutory Instrument.

Finally, this amendment ensures that other additions throughout the Statutory Instrument are operable (e.g. including the new Regulation 8A within the grounds for serving an enforcement notice) so that the regulations remain functional and appropriate.

3.5 Amendments to the penalty regime

• regulation 14 amending regulation 18 (penalties)

The objective of the NIS Regulations is not to punish organisations that have suffered an incident, but to ensure that operators of essential services and relevant digital service providers are cyber-resilient. For this reason, the penalty bands (as described in regulation 18(6)) have been revised to reflect the seriousness of different categories of breaches. The revised penalty bands also allow competent authorities the discretion to issue penalties that are more appropriate for each sector.

The Statutory Instrument will also clarify that penalty notices would not necessarily be linked to enforcement notices (e.g. it will not necessarily require one to be issued beforehand); this will allow for penalties to be issued when they are warranted, having regard to all the facts and circumstances of the case, and maintaining the principles of reasonableness and proportionality in regulation 23.

In addition to this, the Government proposes to introduce a two-step process where competent authorities may serve a notice of intention to impose a penalty before making their final decision through a penalty notice. This process will allow operators of essential services and relevant digital service providers to submit representations on the proposed penalty decision before the competent authority issues a formal penalty notice; it is vital that penalties are served with as much awareness of the facts as possible, and this new provision supports operators of essential services and digital service providers by adding an additional layer of scrutiny before a final penalty decision is made.

This section also reflects necessary changes due to the amendments to other parts of the NIS Regulations (e.g. reflecting the move towards a statutory appeal mechanism under regulation 19 or mirroring the explicit clarification that multiple penalty notices may be served at once, as required following the changes to the enforcement notices).

3.6 Introducing a statutory appeal route via the First-Tier Tribunal

• regulation 3 amending regulation 1 (interpretation)
• regulation 15, omitting regulation 19 (independent review)
• regulation 16, inserting regulations 19A and 19B (appeal by an operator of essential services or relevant digital service providers)
• regulation 17, amending regulation 20 (enforcement of penalty notices)
• regulation 21 (transitional and saving provisions)

Regulation 19 of the NIS Regulations currently includes a requirement for competent authorities to appoint an independent reviewer at the request of an operator of essential services / relevant digital service provider to review either designation decisions or penalty notices. The Government proposes to improve the current framework to ensure there is consistency across sectors on the application of this regulation and to limit the burden on both operators of essential services / relevant digital service providers and competent authorities.

The proposed approach is to omit regulation 19 entirely and replace it with new regulations 19A and 19B, which provide for a statutory appeals process, with appeals heard by an existing tribunal, the General Regulatory Chamber of the First-tier Tribunal. The General Regulatory Chamber’s jurisdiction already extends to General Data Protection Regulation disputes and has a wide-ranging portfolio of sectors, including information rights and electronic communications. The General Regulatory Chamber of the First-tier Tribunal is considered a suitable chamber destination for appeals under the NIS Regulations by the competent authorities and the Ministry of Justice.

In order to be compatible with the rules of procedure of the General Regulatory Chamber (the General Regulatory Chamber Rules), there is a need to amend the NIS Regulations to remain operable within the new jurisdiction; changes must also take into account any applicable provisions in the Regulator’s Code and other wider Ministry of Justice policy on tribunal procedures.

A summary of the Rules, as they would apply, is available below, but respondents are encouraged to explore the entirety of the Rules as well:

• The appellant must provide to the tribunal their notice of appeal so that it is received within 28 days of the date on which the competent authority sent the notice of the decision to them;
• Following lodging of the notice of appeal, the competent authority must then submit its response to the notice of appeal and the reasons for its decision within 28 days;
• The appellant may provide a written submission and further documents in reply to a response from the competent authority within 14 days after the date on which the respondent or the Tribunal sent the response to the appellant;
• The appellant may submit a written application for the Tribunal to decide whether the substantive decisions should be stayed (or sisted in Scotland) or suspended;
• The appellant may give notice of withdrawal of their appeal at any time, either by written notice, or orally at a hearing, and this will be effective if the Tribunal consents;
• The Tribunal will make its decision and provide to each party as soon as reasonably practicable: a decision notice stating the decision, written reasons and notification of any right of appeal including the time within which it may be exercised;
• In the General Regulatory Chamber, the costs do not usually follow the event, however, the Tribunal may award costs where it finds that a party has acted unreasonably in bringing, defending or conducting the appeal (or make an order in relation to wasted costs);
• Either party can make a written application asking for permission to appeal against the decision of the tribunal but only on a point of law. Such an application for permission must be received by the tribunal within 28 days.

We believe that the General Regulatory Chamber Rules, as generally applicable, are suitable for the processing of appeals in relation to the NIS Regulations and that there is no need to consider any further special provisions or rule changes through this Statutory Instrument.

We are also proposing a number of other changes to the approach taken currently in regulation 19 in the new Regulation 19A and 19B to improve the application of appeals. These include:

• extending the list of appealable matters to include enforcement notices and revocation notices of operators of essential services, in addition to designation notices (for operators of essential services only) and penalty notices, giving operators of essential services / relevant digital service providers more flexibility and power to raise appropriate appeals;
• explicitly laying out the grounds for appeals for operators of essential services / relevant digital service providers. These grounds are aligned with other regulations which use the General Regulatory Chamber for an appeals mechanism and clearly identify what basis appellants are able challenge a decision made against them and allow the Tribunal to dismiss vexatious or unmeritorious cases aimed at frustrating enforcement;
• allowing the General Regulatory Chamber to have the power to uphold or quash the whole, or part, of a decision and, in doing so, remitting the decision back to the competent authority with a direction to reconsider its original decision.

3.7 Timelines for Post-Implementation Reviews

regulation 19, amending regulation 25 (review and report)

In order to fully evaluate these new amendments and the longer term impact of the Regulations, the Government proposes to extend the timeframe to carry out future post-implementation reviews, set out in regulation 25, to the more well-established time-frame of 5 years, starting after the end of the next Post-Implementation Review in 2022.

3.8 Sectoral amendments to Schedule 2 and non-UK operators of essential services offering services in UK

• regulation 20 amending Schedule 2 (essential services and threshold requirements)
• regulation 6 inserting regulation 8A (Nomination by an operator of essential services of a person to act on its behalf in the United Kingdom)
• regulation 5 inserting regulation 8(7A) and new regulation (7B) (identification of operators of essential services)

The Post-Implementation Review expressed a clear need to ensure that the NIS Regulations remain flexible and adapt to the changing technological circumstances in order to remain effective. They must also ensure that all the right organisations are within the scope of the Regulations in order to secure relevant essential services. One method of ensuring this is to consistently review the organisations in scope and the methodology of identifying what is essential and must be in scope of the regulations.

The changes to Schedule 2 are tailored to the energy and digital infrastructure sectors. The amendments to the thresholds in the energy sector are aimed at reducing ambiguity by providing further information and definitions, whereas the amendments to the digital infrastructure sector expand on the thresholds themselves and ensure that the right organisations are in scope of the NIS Regulations.

Revocation of a designation of ‘Operator of Essential Services’

Following the designation process, an organisation’s size and structure may change in such a way that it would render it outside of the criteria for the NIS Regulations. The introduction of regulations 8(7A) and 8(7B) sets out the requirement for an operator of essential service to notify the competent authority in writing, alongside supporting evidence, should they believe they no longer meet these criteria. This activity is currently heavily reliant on competent authorities requesting information as there is no requirement for operators of essential services to proactively raise changes in circumstances which are both impractical and resource intensive.

Requirement for operators of essential services outside the UK to designate a nominated person in the UK (new Regulation 8A)

Some operators of essential services in scope of the NIS Regulations are headquartered outside of the UK and might not necessarily have a physical presence in the UK due to the nature of networks and information systems and the services they provide. This could potentially create challenges when competent authorities need to reach out to them for regulatory purposes.

For this reason, the Government is proposing to introduce a requirement for operators of essential services established outside of the UK to nominate a person in the UK to act on their behalf for the purpose of the NIS Regulations. The intention is to ensure that competent authorities are able to support all operators of essential services in complying with the NIS Regulations and to protect the essential services they provide.

The requirement in new Regulation 8A is not related to the UK’s membership of the EU; it is intended to address a broader issue regarding operators of essential services based in third countries that has been raised by competent authorities. This requirement is similar, but unrelated to that established by SI 2019/1444, which will come into effect twenty days after the end of the Transition Period, and introduces a requirement for Relevant Digital Service Providers established outside the UK to designate a representative in the UK.

4. Questions

1. Are you responding as an individual or on behalf of an organisation? (Individual / Organisation)

2. If you answered ‘b)’ to question ‘1)’, is your organisation in scope of the NIS Regulations? (Yes/No)

3. To what extent do you agree or disagree with our proposals to improve the Information sharing provisions in the Regulations? (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)

4. To what extent do you agree or disagree with our proposals to clarify information notices? (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)

5. To what extent do you agree or disagree with our proposals to amend the powers of inspection? (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)

6. To what extent do you agree or disagree with our proposal in regards to strengthening the enforcement regime?
   (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)
7. To what extent do you agree or disagree with the changes proposed to the penalty regime? (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)
8. Are the General Regulatory Chamber Rules suitable for the handling of appeals against decisions by the competent authorities? (Yes / No / Don’t know)
9. To what extent do you agree or disagree with our approach to introducing a statutory appeal route via the First-tier Tribunal?
   (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)
10. To what extent do you agree or disagree with changes to the timeline for post-implementation reviews? (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)
11. To what extent do you agree or disagree with the proposed changes to Schedule 2 of the NIS Regulations? (Strongly agree / agree / neither agree or disagree/ disagree / strongly disagree / don’t know)
12. Please provide any other thoughts or feedback on the proposed legislative changes that you would like for us to note (Open text answer)

5. Draft legislation

A copy of the draft Statutory Instrument containing all of the aforementioned provisions is provided as a separate document.

6. Privacy notice

The following is to explain your rights and give you the information you are entitled to under the Data Protection Act 2018 and the General Data Protection Regulation (“the Data Protection Legislation”). This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your response to the survey.

1. The identity of the data controller and contact details of our Data Protection Officer

The Department for Digital, Culture, Media and Sport (“DCMS”) is the data controller. The Data Protection Officer can be contacted at dcmsdataprotection@dcms.gov.uk .

You can find out about how DCMS uses and protects your data here.

2. Why your personal data is being collected

Your personal data is being collected as an essential part of the consultation process, so that the government can contact you regarding your response and for statistical purposes such as to ensure individuals cannot complete the survey more than once.

3. The legal basis for processing personal data

The Data Protection Legislation states that, as a government department, the department may process personal data as necessary for the effective performance of a task carried out in the public interest. (i.e. a Call for Views).

4. How will your personal data be shared

Copies of responses may be published after the survey closes. If we do so, we will ensure that neither you nor the organisation you represent are identifiable, and any responses used to illustrate findings will be anonymised.

If you want the information that you provide to be treated as confidential, please contact foi@dcms.gov.uk. Please be aware that, under the Freedom of Information Act (FOIA), there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence.

In view of this, it would be helpful if you could explain why you regard the information you have provided as confidential. If the government receives a request for disclosure of the information, the government will take full account of your explanation, but cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the Department.

5. How long will your personal data be kept for?

Your personal data will be held for two years after the survey is closed. This is so that the department is able to contact you regarding the result of the survey following analysis of the responses.

6. Your rights in relation to access, rectification and erasure of data

The data we are collecting is your personal data, and you have considerable say over what happens to it. You have the right:

• to see what data we have about you;
• to ask us to stop using your data, but keep it on record;
• to have all or some of your data deleted or corrected, in certain circumstances;
• to lodge a complaint with the independent Information Commissioner if you think we are not handling your data fairly or in accordance with the law.

You can contact the Information Commissioner via the ICO website, by telephone 0303 123 1113, or by post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

7. Additional information

Further to the above, you should also be aware of the following:

• Your personal data will not be sent overseas.
• Your personal data will not be used for any automated decision making.
• Your personal data will be stored in a secure government IT system.

1. SI 2019/1444, accessible on legislation.gov.uk. ↩