Whilst everyone was watching GDPR, The Network and Information Systems Regulations 2018 (“Regulations”) came into force in the UK on 10 May 2018. These regulations introduce new standards of security compliance to protect essential services and critical infrastructure against cyber security attacks.
The Regulations apply to two types of organisation:
- Operators of Essential Services (OESs) – including those who provide essential services related to transport, health, the supply of drinking water and the provision of energy. It also covers critical digital infrastructure, such as internet exchange points, domain name system service providers and domain name registries.
- Digital Service Providers (DSPs) – These are UK-based organisations that provide a digital service in the United Kingdom like online market places, search engines and cloud computing services.
OESs and DSPs must take appropriate and proportionate technical and organisational measures to manage any risks and have various duties to report incidents that substantially impact on the continuity of service.
The current relevant Competent Authorities (CA) will regulate both OESs and DSPs. So, the ICO will regulate DSPs.
The maximum financial penalty for breach of the Regulations will be GBP 17,000,000.
If an organisation relies on third parties (such as outsourced or cloud-based technology services) the organisation will still be liable for any breach of the regulations and should make sure liability is clearly covered in the contracts it has with its service providers.
If you are affected, it is a question of assessing the risk, (including who you do business with, if using third parties), planning how to respond to any disruption, and making sure someone internally is charged with responsibility for compliance .
For more contact Jill Chamberlain