EU and UK propose stronger NIS incident reporting requirements

The Network and Information Security Directive (NIS 2.0), already agreed between MEPs and the European Council in May, will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions.

More entities and sectors will have to take measures to protect themselves. ‘Essential’ sectors such as the energy, transport, banking, health, digital infrastructure, public administration and space sectors will be covered by the new security provisions. The new rules would also protect ‘important’ sectors such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation.

The directive also establishes a framework for better cooperation and information sharing between different authorities and member states and creates a European vulnerability database. Before the directive is published in the EU’s Official Journal, the Council must also formally adopt the legislation and negotiate its implementation with MEPs.

Stuart Davey of Pinsent Masons said: “One of the main drivers of NIS 2.0 was for further harmonisation on cyber across the member states. However, for organisations, this new legislation is likely to continue the process commenced by the original NIS Directive to help drive cyber improvements. It will do so across many more key sectors.”

It comes after the UK’s communications regulator, Ofcom, recently announced its own plans to strengthen Network and Information Systems (NIS) incident reporting requirements for operators of essential services (OES) in the UK’s digital infrastructure subsector. OES, such as domain name systems (DNS) providers and internet exchange providers (IXP), are already required to notify Ofcom of any incident that has a “significant impact on the continuity of the essential service they provide”.

But in a new consultation (29 pages / 384KB PDF), the regulator proposed lowering its incident reporting thresholds “to better reflect our expectations of which incidents should be reported to us by OES”. Ofcom said its guidance on NIS incident reporting thresholds had not been updated for more than four years, adding that “it is the right time” to revise them. It said the digital infrastructure had become increasingly critical to the life in the UK, with greater dependence on essential services in the subsector for the functioning of the internet, benefit to the wider economy, and societal wellbeing.

The regulator said it was aware of a number of recent incidents in the subsector that had been covered in the media – but had not been reported to Ofcom. These included one UK-wide internet outage in December 2021 that lasted for roughly 30 mins and affected more than 61 million users. Ofcom said such incidents “could have had a significant impact on the continuity of essential services” but added that it recognised that the scale of the outages fell below the existing incident reporting thresholds set out in NIS guidance.

Under Ofcom’s proposals, any incidents experienced by OES that meet new loss and degradation thresholds, and that last for 15 minutes or longer, must be reported to the regulator. Changes to degradation reporting thresholds for TLD name registry services would require providers to inform Ofcom if there was a “loss or significant degradation” of 25% or more of their aggregated name resolution capacity.

Meanwhile, IXP services must inform Ofcom of a “loss or significant degradation” of connectivity to 25% or more of connected autonomous system numbers – or a loss of 50% of total bandwidth. The reporting threshold for DNS resolver service providers would be halved by the proposals, meaning that they must inform the regulator of incidents where 25% of aggregated DNS resolver capacity is lost or significantly degraded. DNS authoritative hosting services will need to report incidents if aggregated capacity suffers a loss of significant degradation of 25% or more.

Davey said: “This is another example of further tweaking of the NIS regulations, on this occasion through guidance by the competent authority for digital infrastructure, Ofcom. It is consistent with various reviews and consultations about how the NIS Regulations have been implemented in the UK. While we still await the government’s response to its consultation from January 2022 on its proposal for legislation to improve the UK’s cyber resilience one of its components was to strengthen existing incident reporting duties. Under the current NIS regime, incident reporting is limited to incidents that impact on service, but it is proposed to expand this to also include other significant incidents.”

He added: “As would be expected with any new legislation, particularly in such a fast-moving world of cyber security, regulatory obligations are kept under review. In the digital infrastructure sector, this has translated into these recent changes to incident reporting. Other competent authorities have also refreshed their guidance around NIS in recent months.”