Cyber incident reporting guide updated for UK digital infrastructure sector

Ofcom has published revised guidance (70-page / 842KB PDF) relevant to incident reporting obligations ‘operators of essential services’ in the digital infrastructure sub-sector are subject to under the Network and Information Security (NIS) Regulations 2018. The revised guidance reflects changes brought in by the Network and Information Systems Regulations (Amendment and Transitional Provision etc.) Regulations 2020 (the Amended NIS Regulations).

Domain name systems (DNS) providers and internet exchange providers (IXP) are among those required to notify Ofcom of any incident that has a “significant impact on the continuity of the essential service they provide” under the NIS regime. Ofcom’s revised guidance essentially alters the factors considered to render an incident’s impact significant.

Under the revised guidance, any incidents experienced by operators of essential services in the digital infrastructure sub-sector that meet new loss and degradation thresholds, and that last for 15 minutes or longer, must be reported to the regulator. For example, providers of TLD name registry services will be required to inform Ofcom if they experience “loss or significant degradation” of 25% or more of their aggregated name resolution capacity lasting at least 15 minutes.

The changes follow an Ofcom consultation with industry and other stakeholders last winter.

Ofcom said (13-page / 223KB PDF): “In deciding to make this change, we have taken into account factors such as the increased importance of the services we oversee since we set the previous thresholds, the government’s National Cyber Security Strategy: 2022 to 2030, and the responses we received to our consultation.”

The updated guidelines also refer back to the regulatory enforcement guidelines published in December 2022 and confirm that those guidelines cover any enforcement action Ofcom might take under the Amended NIS Regulations.

Cyber and data risk expert Rebecca Townsend of Pinsent Masons said: “This updated guidance follows the government plans, published earlier this year, outlining proposed changes to the NIS Regulations which would require the reporting of ‘any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service’. There is no set date yet for implementation of these changes, but they are expected as soon as the parliamentary timetable allows for it.”