Cloud providers at risk of £17m fines following NIS Regulations update
Updated regulation changes law from requiring an incident to cause immediate threat to life or significant adverse impact on the UK economy, to merely requiring a significant risk or significant impact in relation to service provision, meaning that any outage could potentially result in a huge fine
Cloud providers could face fines of up to £17 million under updated regulations which came into force in the UK on 31st December 2020.
The NIS (Network and Information Systems) Regulations previously reserved its maximum fine of £17 million for incidents causing an immediate threat to life, or a significant adverse impact on the UK's economy. However the updated version drastically lowers the bar for the maximum fine, ruling that the highest fine will be available for any incident which causes a significant risk or significant impact in relation to to the supplier's service provision.
This creates the potential for the fine to be levied for any significant outage at a cloud provider offering services within the UK.
The EU NIS Directive first came into force in the UK in 2018 under the initial UK NIS Regulations.
"As far as business is concerned it regulates two types of providers," said Dr Kuan Hon, director with the Privacy, Security & Information Law team at Fieldfisher. "The first is operators of essential services [OESs], which basically means critical national infrastructure. The second is digital service providers [DSPs], which is limited to cloud providers, online marketplaces and search engines."
For businesses, the focus of the NIS Directive is on, firstly, the security of connected network and information systems, including the data held within those systems, and, secondly, the reporting of incidents.
"There is some overlap with GDPR as that data could include personal data, however NIS also covers non-personal data," added Hon.
She added that the lowered bar for the highest fines is a significant change.
"The NIS is more about availability than confidentiality or integrity, so the fact that the maximum fine can be levied if there's a significant risk or impact relating to your service provision, however unimportant your service may be to the broader economy, is a big change.
"But the £17m fine can be imposed only for a 'material contravention' that the regulator thinks created, or could have created, significant risk/impact in relation to service provision. That means failures regarding important requirements like security obligations, so you will have had to breach your duty to have appropriate measures to manage security risks to systems relied on to provide the relevant service, for example. Or if you don't notify the regulator as you were supposed to regarding an incident.
"Also, the amount of the fine must be appropriate and proportionate to the failure, and the regulator can't seek to fine unless it has reasonable grounds to believe that the OES/DSP didn't comply with certain duties and it considers a fine to be warranted in the particular case.
"For OESs the bar for notification to the regulator is for an incident with significant impact on the continuity of the essential service, for DSPs it's 'substantial impact' (with certain numeric thresholds to consider), and notification must happen within 72 hours after becoming aware of the incident."
Brexit has also had an impact on the regulation, with another change to the NIS Regulations stating that if an organisation has a head office outside the UK, but offers "digital services" within the UK, then it must nominate a representative in the UK. The ICO must be informed of this nomination, so it knows who to communicate with in the event of an incident or query.
However, Hon adds that there's a potential drafting error in the regulations when it comes to this nomination.
"The updated regulation says that the ICO [Information Commissioner's Office] must be informed of the nomination within three months of 'these regulations' taking effect. But the NIS Regulations originally took effect in 2018, so that's impossible. It's a similar situation for OESs, but the deadline is stipulated as 31st March 2021. It would make more sense if DSPs had the same timescale. Perhaps they meant three months after the amending regulation take effect."
The reverse situation is also true, in that UK cloud providers offering services within the EU must similarly nominate a representative in Europe. Since the UK is no longer in the EU, this means designating an overseas representative.
"The NIS Directive says clearly that if a UK DSP appoints a NIS representative in a particular EU Member State, they'll be under the jurisdiction of that member state. It does have to be in an EU country where its actually offering services," explained Hon.
Many firms are uncertain about whether or not they are a DSP, as the EU has taken its definition of cloud from the US National Institute of Standards and Technology (NIST).
This definition defines cloud services as services that enable access to a scalable and elastic pool of shareable computing resources..
"But some companies say that our SaaS services aren't scalable or elastic so we don't have to register [in the UK, DSPs are required to register with the Information Commissioner's Office]. They might say that we have a cap on our offering, so it's not scalable and we're exempt." says Hon. "This is very much a risk-based approach", she continued, "and even if they decide not to register they should still consider checking and documenting that their security measures comply with NIS, and building possible NIS notifications into their incident response plans".