Government response to the call for views on amending the Security of Network and Information Systems Regulations - GOV.UK

This document sets out the government’s response to the public consultation Call for Views on amending the NIS Regulations in regards to incident reporting thresholds for Relevant Digital

Service Providers in scope of the NIS Regulations. It will cover:

Alternative format versions of this publication can be requested from the address above.

If you have any complaints or comments about the consultation process you should contact the NIS Directive Team at the address above.

Information provided in the course of this consultation, including personal information, may be published or disclosed in accordance with access to information regimes, primarily the Freedom

of Information Act 2000 (FOIA) and the Data Protection Act 1998 (DPA).

The Department for Digital, Culture, Media and Sport will process your personal data in accordance with the DPA and, in the majority of circumstances, this will mean that your personal data

will not be disclosed to third parties. This consultation follows the UK government’s consultation principles.

In 2018, the Network and Information Systems (NIS) Regulations came into force. The NIS Regulations cover operators of essential services, and relevant digital service providers. The latter

are the focus of this government consultation. Relevant digital service providers cover three categories: online search engines, online marketplaces, and cloud computing services. Their

competent authority is the Information Commissioner’s Office (ICO).

Currently, the thresholds for a digital service provider to report a NIS incident are set in legislation at a level deemed appropriate for the EU market. In contrast, operators of essential

services have their thresholds set in guidance, which means they can be amended. The thresholds for digital service providers no longer work for the UK now it has left the EU. This is a

deficiency in the NIS legislation that needs correcting to ensure there are appropriate levels of reporting of NIS incidents by digital service providers in the UK there is a need for policy

intervention to rectify this deficiency.

Section 8(1) of the European Union (Withdrawal) Act 2018 allows the Secretary of State to fix deficiencies in legislation arising from the UK’s exit from the EU via secondary legislation. In

July 2021 the government published a Call for Views on a proposed statutory instrument to amend the NIS legislation. The purpose of the Call for Views was to gather public views on the

proposals to amend NIS legislation in the area of reporting thresholds for digital service providers.

The government received 91 responses to the Call for Views. The responses were generally positive or neutral towards the proposals. Suggested improvements, constructive comments, or areas of

concern have been responded to in this document. The government strongly believes that the proposed changes in this statutory instrument will maintain and enhance the effectiveness of NIS

legislation in protecting the security of network and information systems for digital service providers.

The Call for Views was launched on 26 July 2021, and the deadline for responses was 27 August 2021. In total, there were 91 responses to the Call for Views, with the breakdown of respondents

as follows:

33 respondents answered if their organisation was under the scope of the NIS Regulations. Of these:

Respondents were asked two further questions, both of which have their own detailed section below. The first of these asked if respondents agreed with our proposal to move incident

thresholds for relevant digital service providers out of legislation and into ICO guidance. The second of these questions expanded further, and asked those respondents who disagreed/strongly

disagreed with our proposal to choose from a pre-set list of reasons why, as well as an option for other reasons.

Table 2: Breakdown of respondents answering if their organisation is under the scope of NIS.

Q3. To what extent do you agree or disagree with our proposal to move incident thresholds from legislation to ICO guidance?

In total 38 respondents provided a response to Q3. Of these responses:

Table 3: Summary of responses to Q3: To what extent do you agree or disagree with our proposal to move incident thresholds from legislation to ICO guidance?

Please note that some of the graphs in this document do not always total to exactly 100% due to results being rounded to the nearest one percent.

The results of Q3 suggest that overall, respondents are either in favour of or are ambivalent towards the government’s proposals to move the incident thresholds from legislation to ICO

guidance.

Only 1 in 10 respondents actively disagreed with the proposal, suggesting that there is limited opposition overall. However, consideration has been given to all feedback, and this response

tackles the main themes emerging from comments that were not supportive below.

Q4. You said that you disagree/strongly disagree with our proposal. Why do you disagree/strongly disagree?

Table 4: Breakdown of the number of selected choices for respondents disagreeing with the government’s proposals.

The most frequent reason for respondents disagreeing/strongly disagreeing with the government’s proposal was that the ICO should not have the power to amend the thresholds without prior

consultation, with 7 respondents citing this reason. Further written feedback highlighted concerns over the ICO amending the thresholds without any statutory duty to consult.

Although there is currently no statutory duty to consult industry on its guidance setting out the thresholds in the government’s proposals, the ICO has confirmed its commitment to regular

engagement with industry. This includes consulting on any changes to the thresholds with relevant digital service providers to ensure reporting requirements are not too demanding or

burdensome.

Currently, competent authorities do not have any statutory duty to consult with operators of essential services on changes in the guidance for reporting thresholds. However, this is

agreed-upon practice and operators of essential services have always been consulted by their competent authorities in order to establish fair and appropriate thresholds for incident

reporting. The ICO launched its own consultation on the proposed thresholds on 10th September 2021 with two separate threshold models.

The limited number of respondents citing this as a reason for opposing the proposal also suggests that this is an issue for only a minority of respondents, and this does not reflect the

wider sentiment of respondents to the consultation.

The government will continue to work closely with the ICO as the competent authority for relevant digital service providers, and ensure that they consult regularly to ensure that any changes

in the level of thresholds for reporting strike a fair balance between reporting requirements and maximising the efficiency of the NIS reporting process.

The second most frequent reason for respondents disagreeing/strongly disagreeing with the government’s proposal was that amending the threshold levels would diverge the UK’s NIS legislation

away from the EU’s for reporting requirements, with 6 respondents citing this reason.

Whilst the government is aware that allowing the ICO to amend the threshold levels may result in them diverging from the levels set for the EU, it believes this is a necessary risk. The

current thresholds are not fit for purpose and do not meet the needs of the UK economy. Very few incidents are currently being reported. The government needs to ensure the NIS legislation is

effective on a UK-basis.

The contents of this proposal are not reflective of any political stance on NIS, but instead are reacting to wider changes in the political landscape and implementing appropriate steps to

ensure NIS legislation remains effective. The government will continue to work with the EU to maintain cooperation where possible.

The third most popular reason for respondents disagreeing/strongly disagreeing with the government’s proposal was that they disagreed with the thresholds being moved out of legislation, with

5 respondents citing this reason.

The core element of the government’s proposal is to remove the reporting thresholds from legislation and place them into guidance issued by the ICO. This will allow the ICO, as competent

authority, the power to change the reporting thresholds as it considers appropriate for digital service providers without the need for burdensome updating legislation. This brings the

setting of reporting thresholds for digital services providers in line with the approach the NIS Regulations takes for setting thresholds for the operators of essential services (where the

competent authorities already do so in guidance). The move to replace legislation with guidance for the ICO does not introduce any new elements or practices to the NIS Regulations above and

beyond those of the other competent authorities. In fact it brings the ICO’s regime into line with the approach of other NIS competent authorities.

The small proportion of respondents who disagree with moving the proposals out of legislation is encouraging and suggests that there is limited opposition to moving the thresholds out of

legislation.