Since the UK left the EU, the EU thresholds for digital service providers to report incidents having a "substantial impact" are no longer appropriate for the UK alone. On 17 November 2021, the UK Government published its response to a call for views on amending the incident reporting thresholds for digital service providers in scope of the UK NIS Regulations. The direction of travel is for the incident reporting thresholds to be moved out of legislation and into guidance issued by the ICO. What might that look like and what are the potential implications for relevant digital service providers dealing with diverging requirements in the UK and EU?
Background: Current incident reporting thresholds and the UK Government's response
Relevant digital service providers (broadly, providers of cloud computing, online marketplace, and online search engine services) that are in scope of the NIS Regulations 2018 in the UK (RDSPs) are required to report without undue delay any incident having "substantial impact" on those services offered in the EU.
Currently, in order to determine whether the impact of an incident is "substantial", the RDSPs must take into account various factors set out under EU Implementing Regulation 151/2018 as it forms part of retained EU law in the UK. These factors include the number of users affected, duration, geographical impact etc. The RDSP must also assess whether one of four specified situations has taken place; for example, service unavailability for more than 5,000,000 user hours, where user-hours refers to affected users across the EU. As certain of these thresholds are defined with reference to the EU as a whole, the UK Government has recognised that these are not currently fit for purpose under the UK NIS framework and published a call for views in August 2021 accordingly.
In particular, the Government proposed to use its powers under the European Union (Withdrawal) Act 2018 to amend the relevant UK legislation, to instead allow for the ICO (as the competent authority for RDSPs in the UK) to set new thresholds. The intention is to give the ICO the power to change the reporting thresholds for RDSPs without the need for burdensome updating legislation, and consistent with the approach the NIS Regulations take for setting thresholds for reporting by operators of essential services. In its response on 17 November 2021, the Government confirmed this intention.
There is currently no statutory duty for the ICO to consult the industry on guidance setting out reporting thresholds for RDSPs. However, the Government's response notes that "the ICO has confirmed its commitment to regular engagement with the industry. This includes consulting on any changes to the thresholds with [RDSPs] to ensure reporting requirements are not too demanding or burdensome". This represents an opportunity for the industry to engage with the ICO on the UK incident reporting requirements going forward.
UK: ICO proposals for guidance on incident reporting thresholds
In October 2021, the ICO consulted on two potential approaches to thresholds to be set out in the Commissioner's guidance:
- Proposal One: Revise existing thresholds so that they are applicable to UK markets. This adopts the existing considerations, but with revised numerical thresholds to take account of the smaller UK market.
- Proposal Two: Replace numerical thresholds with a risk-based indicative and relative thresholds. This recognises that numerical thresholds may have limited application to some digital services, and would instead require the RDSP to undertake an assessment of the impact of the incident, taking into account various factors. This would involve a matrix approach, looking at impact on (1) service functionality, (2) information processed, and (3) recoverability, and incorporating factors such as number of users and duration. Any incident that has a 'high' impact level in any of these three categories would require notification.
Both of these proposals would continue to operate within the existing legislative framework in the UK. Notably, incidents resulting in a personal data breach may still require notification, even if the relevant thresholds have not been met.
The Consultation closed on 14 October 2021. More widely, the UK Government's Plan for Digital Regulation published in December 2020 suggests a wider consultation on the NIS Regulations may be in the pipeline.
EU: Proposals for NIS2 Directive
In December 2020, the European Commission published its Proposal for a directive to repeal the current NISD and replace it with a revised directive, "NIS2". The requirements and changes under the Proposal are wide ranging and beyond the scope of this short briefing.
However, its worth noting that the Proposal would expand the incident notification requirements on providers of cloud computing, online marketplaces and online search engines, to include both:
- incidents having "significant impact on provision of their services"
- any "significant cyber threats" which could potentially result in a significant incident.
Whether incidents are 'significant' or not would also take into account the potential of the incident to cause operational disruption or losses. Reporting of incidents based on their potential impact is likely to cause further challenges for service providers.
However it remains to be seen where the EU requirements will land on this; the NIS2 proposal is still going through the EU legislative process, and will likely be supplemented by further implementing legislation.
Challenges for RDSPs
RDSPs operating in both the EU and UK look set to be subject to diverging notification regimes in the EU and UK. At the same time, sector-specific requirements are likely to raise the expectations from RDSPs customers in certain sectors, in particular in financial services – see our earlier briefings on the UK and EU developments on operational resilience in financial services
Here to help
If you have any questions about what we've covered in this article, please don't hesitate to get in touch.
