The UK’s New Cybersecurity Regulations: What U.S. Tech Companies Need to Know
In a significant development that drew little attention in this country, the UK’s Network and Information Systems Regulations of 2018 (NIS Regulations) took effect on May 24, 2018. (The official text is available here and the government’s formal Guidance is available – and usefully indexed – here.) Intended to improve cybersecurity for IT systems in sectors such as energy, health care and transportation, the NIS Regulations implement the EU’s Network and Information Security Directive 2016/1148 (NIS Directive). The UK has indicated that it intends for the NIS Regulations to continue in force following the UK’s exit from the EU even though the UK will no longer be subject to the NIS Directive after that time. While the General Data Protection Regulation (GDPR), which took effect about the same time (May 10, 2018), got all the publicity, the NIS Regulations may be as important for many U.S.-based IT companies that do business in the UK. The NIS Regulations apply to a wide spectrum of companies and organizations and cover a much broader range of incidents, not just those impacting personal data as is the case with the GDPR. And like a violation of the GDPR, a violation of the NIS Regulations can result in significant monetary penalties.
Who Is Covered?
The NIS Regulations apply to operators of essential services (“OESs”). UK authorities are permitted to designate certain services as essential. The designated essential services include transportation, health care, energy, supply of drinking water, and digital infrastructure (e.g., providers of internet exchange points and top-level domain name registries). OESs are responsible for identifying themselves to and engaging with the applicable Competent Authority – a group of public entities with regulatory and enforcement responsibilities under the NIS Regulations, discussed in more detail below.
In addition to digital infrastructure operators, the NIS Regulations also apply to a variety of relevant digital service providers, such as online marketplaces, search engines and cloud computing provider (RDSPs). (“Small or micro enterprises” – fewer than 50 employees or less than €10 million gross revenues – are excluded.) The RDSP definition may be the most significant provision for mid-sized U.S.-based companies that do business in the UK. RDSPs are subject to the NIS Regulations if they provide a covered digital service in the UK and their head office is in the UK or they have designated a representative in the UK. The NIS Directive in turn requires RDSPs that are not located in the EU but offer services to customers in an EU country to designate a representative in that country. (A representative is an agent who can deal with the UK authorities.) Putting these various provisions together, the effect is that a U.S.-based company is required to designate a representative in the UK, and will be subject to the NIS Regulations, if its activities fit the definition of an RDSP and it is offering its services in the UK.
If You’re Covered, What Do You Have to Do?
RDSPs are required to register with the UK Information Commissioner’s Office (ICO) no later than three months after satisfying the definition of an RDSP under the NIS Regulations. The registration is very simple, requiring nothing more than the submission of basic contact information. (For official government guidance on how to register, more detailed information on the definition of an RDSP, and much more on compliance by RDSPs, see here.)
Substantively, the NIS Regulations require OESs and RDSPs to take appropriate and proportionate technical and organizational steps, considering the state of available technology, to maintain security of their networks and to prevent and minimize the impact of potential incidents that could affect the security of their networks or information systems. The UK National Cyber Security Centre (NCSC) has issued a Guidance Collection targeted at OESs, which may also be useful to RDSPs (available here). The NCSC’s Table View of Principles and Related Guidance provides summary recommendations concerning governance, risk management, asset management, supply chain, service protection, identity and access control, data security, system security, resilient networks and systems, staff awareness and training, security monitoring, proactive security event discovery, and response and recovery planning and improvements.
All of this guidance can appear overwhelming to a smaller U.S.-based company that qualifies as an RDSP. Given this, it is important to emphasize – as the NCSC itself does – that the guidance consists of principles, not rules, and also to stress the key phrase appropriate and proportionate. That is, you have to take steps that make sense for your company, given its size and the nature of its business. The various recommendations in the guidance documents are a menu of specific approaches, to be considered for implementation if they seem to fit. The introduction to the NCSC Guidance Collection emphasizes that the applicability of any specific method or approach will depend on the specifics of your business and that none necessarily applies to any particular business.
In addition to maintaining technical and organizational security standards, both OESs and RDSPs are required to notify the applicable Competent Authority on the occurrence of certain incidents. The Competent Authorities are a group of government agencies with NIS oversight and enforcement responsibilities; the ICO is the Competent Authority for RDSPs. An OES must notify the applicable Competent Authority of any incident that has a significant impact on the continuity of the essential service provided by the OES within 72 hours after the OES is aware of the incident’s occurrence. The OES must consider the number of users affected, the duration of the incident and the geographic areas impacted by the incident in assessing whether a significant impact has occurred. Likewise, RDSPs must notify the ICO of any incident having a substantial impact on the provision of any digital service, but only if the RDSP has access to information enabling it to assess whether the impact of an incident is substantial. In making such an assessment, the RDSP must consider the number of users affected (in particular, users relying on the applicable digital service for provision of their own services), the duration and geographic area of the incident, the extent of the disruption to the functioning of applicable services and the extent of the impact on economic and societal activities. If that assessment results in a finding that an incident is significant, then the RDSP must notify the ICO within 72 hours after it becomes aware of the occurrence of the incident.
What are the Penalties for Noncompliance?
Violations of the NIS Regulations can result in fines assessed at the discretion of the applicable Competent Authority or the ICO, subject to the following limitations: fines for material breach of the NIS Regulations that has caused or could cause an incident resulting in a reduction of service by an OES or RDSP for a significant period of time are capped at £3.4 million; fines for material breach of the NIS Regulations which has caused or could cause an incident resulting in a disruption of services provided by an OES or RDSP for a significant period of time are capped at £8.5 million; and fines for material breach of the NIS Regulations which has caused or could cause an incident resulting in an immediate threat to life or significant adverse impact to the UK economy are capped at £17 million.
Fines approaching these capped amounts are likely to be extremely rare. They are nonetheless possible, so the NIS Regulations cannot be safely ignored. Smaller U.S.-based IT companies should begin by reviewing the NIS Regulations and the Guidance to decide whether they qualify as RDSPs. If so, they should take the simple step of registering with the ICO. They should then review and assess their security programs in light of the principles and recommendations in the NIS Regulations and the Guidance. Maintaining a written security plan aligned with the NIS Regulations and Guidance is advisable along with documentation of compliance with the plan. Such documentation could prove valuable in connection with incident reporting and could weigh on penalties assessed in connection with any violation.
A final practical note is that the NIS security principles do not differ significantly from those that U.S.-based companies may already be subject to under the GDPR, any of the U.S. sector-specific privacy and security regimes (e.g., Gramm-Leach-Bliley for finance and HIPAA for health care, the Federal Trade Commission’s Privacy Framework, and the data privacy laws of California and many other states). For this reason, complying with the NIS Regulations may turn out to be far less onerous than it first seems. In addition, the NIS compliance review may improve your compliance with those domestic laws.
The attorneys at Robinson Bradshaw are ready to help with any questions you may have related to these regulations.