UK incident reporting laws updated as ransomware attacks rise

Changes to the UK’s regulations on network and information security (NIS) impacting ‘digital services providers’ (DSPs) operating in the UK took effect on 12 January. The amendments update thresholds relevant to DSPs for reporting cybersecurity incidents to the UK’s Information Commissioner’s Office (ICO).

The NIS regulations in force in the UK were derived from the EU’s NIS directive, which took effect prior to Brexit. The NIS regime contains two sets of rules – one for operators of ‘essential services’, and one for DSPs. While it was left to each EU member state, including the UK at the time, to determine which organisations in their jurisdiction are operators of essential services with reference to the directive’s umbrella provisions, a more harmonised approach was taken in respect of the requirements facing DSPs in recognition of the fact many of those providers operate on a cross-border basis.

Under the UK’s NIS regulations, DSPs are obliged to notify the ICO in writing about “any incident having a substantial impact” on the provision of their services – provided they have “access to information which enables it to assess whether the impact of an incident is substantial”. However, the UK regulations do not provide any guidance on what is meant be ‘substantial impact’.

Before the changes to the UK’s NIS regime were made on 12 January, DSPs had to consult an EU implementing regulation for more detailed provisions on their reporting obligations. That EU law sets out parameters to be taken into account to determine whether the impact of an incident is substantial, as well as specific examples of when an incident would be considered as having a substantial impact.

Under the latest amendments to the UK’s NIS regulations, however, the UK government has altered the parameters that DSPs had to consider. The government issued an explanation alongside the legislative changes in which it stated that the parameters set at EU level “do not work effectively for the United Kingdom as a standalone nation” and gave an example.

“Most importantly, the reporting thresholds set by reference to the number of the (EU) population affected are generally too high to trigger reporting in the United Kingdom,” the government said. “This means that the competent authority for digital service providers, the information commissioner, may not be sighted on cyber incidents which have caused disruption to the service provided by the digital service providers. The purpose of the reporting requirements is to ensure that the competent authorities are sighted on such cyber incidents and the setting of the reporting thresholds at their current (EU) level undermines this. The criteria and the thresholds for reporting in the NIS EU Implementing Regulation need amending to remedy this.”

However, while the UK government has amended the UK NIS regulations to require DSPs to consider the geographical impact of an incident across the UK rather than across EU when determining whether the ‘substantial impact’ threshold for reporting has been met, it has not otherwise replaced the EU level parameters with new UK level parameters set out in law. Instead, the government left it open to the ICO to issue guidance on the reporting thresholds DSPs face in the UK.

The ICO has published guidance for DSPs on incident reporting under the UK NIS regulations. This explains when the ICO will expect to be notified of a NIS incident. Examples include when an incident renders the provider’s service unavailable for more than 750,000 user-hours; the incident results in a loss of integrity, authenticity or confidentiality of data or services and affects more than 15,000 UK users; the incident created a risk to public safety, public security, or of loss of life; or the incident caused material damage to at least one user in the UK, and the damage to that user exceeded £850,000.

Voluntary reporting of incidents that do not meet the reporting thresholds is encouraged by the ICO. The authority also advised DSPs to consider whether an incident qualifies as a personal data breach reportable under the UK General Data Protection Regulation even if it does not trigger reporting obligations under the NIS regime.

Cyber risk expert Stuart Davey of Pinsent Masons said: “The UK government completed a legislative review of the NIS Regulations in February 2020 and will continue to review them every five years. It has expressed a wish that the NIS Regulations remain flexible, to adapt to changing circumstances and allow competent authorities to tailor their respective regulatory practice. These recent changes reflect that desire in the post-Brexit landscape. We will have to wait to see how the UK government responds to planned EU wide cyber security regulation, including NIS2.”

The amendments to the UK’s NIS regime incident reporting obligations for DSPs comes at a time when businesses around the world are seeing a surge in cyber crime, according to new figures from the World Economic Forum (WEF).

According to WEF, the number of cyber attacks on individual organisations rose by an average of 31% last year, with the number of ransomware attacks alone rising by 151% in 2021. WEF said the average cost to an organisation of a successful cyber attack is $3.6 million.