Background
In our article NIS Regulations and providers of access to cloud resources we explained how providers’ networks, servers, storage, applications and other digital services may fall within the ambit of the Network and Information Systems Regulations 2018 (NIS Regs) if they met the definition of a “cloud computing service” and were not exempted by the current minimum thresholds, both as detailed in the NIS Regs.
In this article, we summarise the obligations of those that the NIS Regs capture.
Cloud computing service providers – obligations under the NIS Regs
The NIS Regs impose certain obligations on cloud computing service providers. Also, in times of heightened focus on cybersecurity, the reputational impact of getting it wrong should not be underestimated.
The key obligations are as detailed below:
Manage security risk
Take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide its services. This includes:-
(Having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed.
Prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services, taking into account:
the security of systems and facilities
incident handling
business continuity and management
monitoring, auditing and testing
compliance with international standards
Notify and assess security incidents that have a substantial impact
Notify the ICO in writing about any incident having a substantial impact on the provision of any of its digital services (subject to it having access to information available to assess the substantiality of the impact). Notifications must include:
the time… the incident occurred
the duration of the incident
information concerning the nature and impact of the incident
information concerning any, or any likely, cross-border impact of the incident
any other information helpful to the ICO
Like personal data breaches, NIS incidents must be reported within 72 hours of the cloud computing service provider’s first awareness of the incident.
Impact assess the incident taking into account:
number of users affected by the incident
duration of the incident
geographical area affected by the incident
the extent of the disruption to the functioning of the service
the extent of the impact on economic and societal activities
any guidance issued by the ICO
Register with ICO
Register with the ICO (currently no charge) providing the following details:
name of the RDSP
address of the head office or nominated representative
up to date contact details, including email addresses and telephone numbers
Any changes to the above must be notified to the ICO within three months of the date of the change.
So, what does this mean for potential or actual cloud computing service providers?
For those well versed in data protection, this should not be too much of a leap, but this legislation should be reviewed separately and independently from data protection as it applies to ALL systems, irrespective of personal data.
Connect with Tracey at tracey@law-point.co.uk or call 01202 729444 to schedule your appointment.
© The Contract Shop t/a Lawpoint
Information correct as at 11 January 2024