The government has published its response to the April 2018 targeted consultation on the Security of Network and Information Systems Directive (NISD). The targeted consultation specifically addressed how NISD will apply to Digital Service Providers (DSPs) in the UK, focusing on the identification of DSPs, security measures and further guidance. This follows the government’s public consultation in August 2017 – see our recent blog on this here.
The targeted consultation received 12 responses that largely showed support for the government’s overall approach. Concerns were expressed, however, regarding the uncertainty over who falls within NISD’s scope and the subject of costs recovery.
As the Network and Information System Regulations 2018 (the NIS Regulations) are already in force, the targeted consultation process will be used to assist the Information Commissioner’s Office (ICO) in providing updated guidance to DSPs. The government’s response, therefore, provides a useful insight into the future guidance on this topic, which will directly affect the regulation of DSPs in the UK.
Government response to consultation
Identification of Digital Service Providers
Respondents to the targeted consultation were concerned about the scope of the definition of ‘cloud service provider’, and the lack of clarity surrounding definitions ‘scalable and elastic’ in relation to cloud computing services and ‘online marketplace’.
The government said the language in the NIS Regulations, including the legal definition of a DSP, reflects the language of NISD. The government believes that DSPs should not be interpreted to include all online activity, or all activity that could potentially be classed as ‘software as a service’. The government has therefore adopted a narrower interpretation to be consistent with NISD. When defining ‘scalable and elastic’, the government largely repeated the definition in Recital 17 of NISD, which says: “The term ‘scalable’ refers to computing resources that are flexibly allocated by the cloud service provider, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic pool’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase and decrease resources available depending on workload.”
To fall within the definition of ‘online marketplace’, the service must be a “genuine marketplace for goods or services and not an online retailer”. If the DSP offers both, then NISD will still cover the online marketplace services. Other factors relevant to the applicability of the NIS Regulations include how payment is taken, where the purchase and transaction take place and the size of the DSP.
The majority of respondents said that they understood the security requirements in NISD, but concerns were raised about the inconsistency of requirements across Europe.
The government emphasised the need for consistency with other European security and incident reporting measures – including the Commission’s Implementing Regulation – which DSPs are already required to comply with under the NIS Regulations. The government has recommended to the ICO that DSPs be advised to follow the European Network and Information Systems Agency technical guidelines.
Respondents requested clear and comprehensive guidance from the ICO on how DSPs can meet the requirements of the NIS Regulations. The government highlighted that most of the requested guidance is already covered by the NIS Regulations, primarily in Regulation 12.
The government’s response provides a useful indication of what the ICO’s updated guidance will cover and also how the guidance – including the application of the NIS Regulations – will apply to DSPs in the UK.
It is not clear when the ICO will be updating its guidance, but the government says it will be completed “as soon as is feasible”.