NIS Compliance: What UK Businesses Need to Know

Cybersecurity is a core operational and legal risk for businesses, large and small. A major incident can shut down your company’s systems, interrupt your services, and expose you to serious regulatory consequences. Certain businesses in the UK may have mandatory duties under the UK General Data Protection Regulation (UK GDPR) and the Network and Information Systems Regulations 2018 (NIS Regulations). While the UK GDPR protects personal data, the NIS Regulations focus on securing network and information systems supporting essential services and digital infrastructure (rather than personal data). Nonetheless, there are certain overlapping areas, and some businesses will be subject to compliance with both legal frameworks. This article explores the importance of cybersecurity, the NIS Regulations, and their difference from UK data protection laws, as well as the importance of compliance with both frameworks where necessary. 

Why Does Cybersecurity Matter for Businesses?

Cyberattacks can affect organisations of any size. Many criminals will seek to target smaller businesses that they believe have weaker defences. A successful attack can cause various issues such as financial loss, reputational harm, regulatory scrutiny, or disruption to key operations, which can significantly impact a company’s bottom line. 

Businesses in the UK need to adopt appropriate security measures, and various laws cover the provisions that require them. These duties appear in both the UK GDPR and other laws. For instance, NIS Regulations include essential laws to protect cybersecurity. 

What Does the UK GDPR Require About Data Security?

The UK GDPR sets out rules for how organisations collect, use, and store personal data. It applies to any organisation that handles personal information about individuals.  This includes scenarios where personal data is defined broadly and includes details such as names, email addresses, payment details, and a range of other information that could identify individuals. 

Under the UK GDPR, data security obligations mean that data requires protection against unauthorised or unlawful processing, accidental loss, destruction, and damage. 

The UK GDPR requires businesses to protect personal data by implementing appropriate technical and organisational security measures. Although this law does not spell out exact mandatory measures, it expects organisations to adopt a risk-based approach tailored to the personal data they process and the potential risks involved. 

When determining appropriate data security measures to protect personal data, you should consider factors such as the nature and sensitivity of the data, implementation costs, and the potential harm a data breach could cause to individuals.

What are the NIS Regulations (Regulations)?

The UK introduced the NIS Regulations in 2018 to implement the EU’s Network and Information Security Directive (EU) 2016/1148. Businesses can review the helpful guidance on the NIS Regulations, their background, and purpose. 

The Regulations impose cybersecurity and reporting duties on:

• Operators of Essential Services operating in specific sectors (OES): providers of energy, healthcare and transport; and
• Relevant Digital Service Providers (RDSPs): large-scale online marketplaces, cloud computing services, and search engines.

The NIS Regulations do not address personal data. Instead, they focus on secure networks and information systems.

The ICO’s guidance provides detailed information on which types of digital businesses are covered by NIS and classed as OES and RDSPs, and explains how some businesses are exempt. 

Key Obligations

The law states that OES must ‘take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems’ on which their essential services rely. 

OES must also take measures to prevent and minimise the impact of incidents that affect the network’s security and information systems used to provide essential services. 

In the event of an incident that significantly impacts the continuity of an essential service, OES must notify their competent authority without undue delay, and where feasible, no later than 72 hours after becoming aware of the incident. 

The law states that RDSPs must identify and take appropriate and proportionate measures to manage the risks posed to the security of the network and information systems they use to provide digital services in the UK, such as online marketplaces, search engines, or cloud computing services.. In addition, RDSPs must consider key issues, e.g. security of systems and facilities, incident handling, business continuity management, monitoring, auditing, testing, and compliance with international standards.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

RDSPs must notify the ICO without undue delay and no later than 72 hours after becoming aware of any incident having a substantial impact on the provision of their services. RDSPs must also register with the ICO.

The ICO guidance explains that NIS is overseen by ‘competent authorities’ monitoring different sectors, with the ICO being the authority in relation to RDSPs. Regulators can conduct inspections, issue enforcement notices, and impose fines for non-compliance. For serious NIS breaches, the maximum fine is £17 million. 

How Do the NIS Regulations Interact With the UK GDPR?

Although the UK GDPR and NIS Regulations cover different areas, organisations within their scope must follow both. 

There can be a certain overlap between the two regimes. For example, an incident such as a cyberattack could trigger duties under both laws. Both frameworks require risk-based security and fast incident response, with strict reporting rules.

An organisation may face dual enforcement under the UK GDPR and the NIS Regulations from a single incident. As such, it is vital to prioritise compliance with both sets of laws where necessary.

If an organisation is unsure about which laws it needs to adhere to, it should seek legal advice to avoid risk (particularly the risk of enforcement action under both regimes). 

Key Takeaways

The NIS Regulations impose important rules for OESs and RDSPs regarding cybersecurity and incident notifications. These organisations have key obligations, including adopting strong cybersecurity measures and reporting major incidents quickly. Many organisations that fall under the regulations also fall under the UK GDPR, which governs personal data. Where both laws apply, legal duties can be complex and onerous. Understanding these rules and seeking legal advice is helpful to reduce risk.

If you need help understanding the legal rules that apply to your business, our experienced data, privacy and IT lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions