NIS Regulations – Another Ticking Time Bomb?

NIS Regulations – Another Ticking Time Bomb?
By Nicola Carlile, Arcanum Senior Consultant


Amidst much fanfare and, to be honest, a lot of hype around the financial penalties that could be imposed for failing to comply, the EU’s General Data Protection Regulations or GDPR came into force on May 25th.  But when did you first hear about the EU’s Network & Information Systems (NIS) Regulations, which carry equally disconcerting financial penalties? Quite possibly it wasn’t until well after 10th May, the date they took effect.

The NIS Regulations, are aimed at addressing the issue that the digitisation of essential services such as energy and transport has left them exposed to hackers, power and hardware failures.

Who’s impacted?

The NIS Regulations are principally aimed at the Critical National Infrastructure sector, i.e. those commercial businesses and Public Sector organisations such as hospitals, ports, the roads and railways that are essential for the functioning of the UK and its economy.  The definition in the NIS Regulations calls these “Operators of Essential Services” (OES), although there are thresholds defined by sub-sector, which mean that not all potential OES qualify as such.  Those that do had to contact their relevant Competent Authority by 10th August.

The definition also includes ‘Relevant’ Digital Service Providers (RDSPs).  These also have to self-identify and register themselves with their Competent Authority, the Information Commissioner’s Office (ICO).  But what makes a company an RDSP?  These are defined as search engines, online marketplaces and cloud services with a UK HQ, which excludes providers such as search engines like Google, Bing and Yahoo, as well as the on-line market places Amazon and eBay.  Micro and Small Enterprises are exempt from complying with the legislation.  With an estimated zero search engines and only two market places in scope, this leaves the RSDP focus on cloud computing services.

A deadline is looming…

RDSP have until 1st  November to register with the ICO, which is also responsible for GDPR and is only operating one mechanism for registration for both bits of legislation. GDPR registration attracts a fee which may cause some confusion to RDSPs registering on the ICO mechanism.

The NIS Police

The UK has 11 separate organisations acting as the Competent Authorities which will effectively police NIS compliance and enforcement across the 5 business sectors and 10 subsectors identified in the NIS Regulations with some Competent Authorities operating jointly.  The National Cyber Security Centre (NCSC) also has a role to play, providing technical support and guidance to other government departments, Devolved Administrations, Competent Authorities and OES, though does not in itself have any regulatory role.

The NIS Regulations came into effect in May, 15 days before the GDPR.  Some Competent Authorities are doing far better than others at providing timely guidance.  The Drinking Water Inspectorate has the greatest amount of information and guidance for its OES, with a NIS link on the front page of its website and a statement about guidance still to be published, together with a completion date. Ofcom (for the Digital Infrastructure sector) and the Department of Transport published initial guidance for OES in their sectors in advance of the Regulations coming into force.  The Department for Business, Energy and Industrial Strategy (BEIS) issued guidance two months after the Regulations came into force for OES in the energy sector, although Ofgem and the Health and Safety Executive, as the bodies responsible for NIS compliance and enforcement in the Energy Sector haven’t issued any NIS specific guidance yet.  Given the deadline for RDSPs to register is 1st November, the ICO, as the Competent Authority for RDSPs, issued its first guidance only this month, which puts extra pressure on the RSDPs.

What will getting it wrong cost?

Unlike GDPR, monetary penalties are tiered up to a maximum of £17m depending on severity, ranging from £1m at the bottom tier, up to £17m at Tier 4, the top of the scale.  The maximum penalty is reserved for the most damaging incidents, e.g. leading to an immediate threat to life.  However, as with the GDPR, it’s not the only course of action open to the Competent Authority, it’s one of a number, including Notices and Inspections and my guess is that it will take some time for us to get an idea of when fines will be issued and for how much.

Given that the ICO has started to take formal enforcement action against organisations who have failed to pay the required data protection fee under GDPR, with failure to pay potentially resulting in a maximum fine of £4,350, will we see RDSPs who fail to register also being subject to similar action?

Cyber Assessment Framework

NCSC developed the Cyber Assessment Framework (CAF) to provide a suitable framework to help Competent Authorities carry out assessments of their OES as required by the NIS Regulations.  Version 1 was published at the end of April this year, agnostic of sector and very much a ‘starter for 10’.  NCSC has made it clear that as it has no regulatory responsibilities, it will not be carrying out assessments using the CAF (or any other framework).  However, over the summer, it carried out five pilot assessments in three different sectors, looking to use these to inform development of the CAF.  Version 2 is due out at the end of this month and a round of assessments to be carried out by Competent Authorities in the spring will be used to shape the next issue, expected to be in the summer.  At the outset, it was recognised that there may be the need for sector specific aspects and perhaps this may be seen in the coming updates, there is no doubt that the CAF will continue to evolve.

The CAF is a series of exemplar Indicators of Good Practice (IGP) against the 39 contributing outcomes and the NCSC makes it clear that it’s not a tick-box compliance exercise.  It suggests that those carrying out assessments need strong sector knowledge, cyber security expertise and the ability to take a flexible approach, looking at all the relevant factors.  Given the shortage of cyber professionals that we read about on a frequent basis, assessors possessing all these qualities, particularly the sector knowledge piece, may be in short supply!

What about cyber insurance?

None of the guidance I have seen, or workshops I have attended have mentioned cyber insurance cover for OES and RDSPs in the same way that it was highlighted during the hype preceding the GDPR.  These businesses should be considering insuring their essential services, not just for physical loss or damage, but also the costs of incident handling, including investigation and notification. The cyber insurance market is maturing and cover is becoming more sophisticated, but businesses can’t insure against these potential losses unless both they and the Underwriters understand the level of risk they face, and this requires an effective, coherent risk assessment and management process to inform it.  I’m not sure that, in terms of cyber, OES have well-established systems, although there may be examples out there.  Cyber risk assessment for OES is no different than for any organisation and a collection of risk management is published on the NCSC website, including a summary of risk methods and frameworks that should be the start point.

How can we help?

Arcanum is one of only 14 consultancies certified by the NCSC for Risk Assessment and Risk Management.  We have been providing expert security advice for over 10 years and we are already working with OES to support them with NIS Regulation compliance.  We have experience of carrying out assessments using the CAF and can guide you through the process.

If you are an Operator of Essential Services or a Competent Authority please get in touch to organise a call or meeting. One of our NCSC accredited consultants would be delighted to guide you through the assessment process.

Please give us a call 01558 669140 or email