New incident reporting thresholds for digital service providers

Another year, another amendment to the NIS Regulations. But with fresh Covid restrictions, the festive season and seemingly endless Brexit related legislative changes, it would be easy to overlook The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 made in December and which came into force on 12 January 2022. So, for those who may have missed them, here is a starter for ten. 

The changes aim to rectify deficiencies arising from the UK’s exit from the EU. They apply to Relevant Digital Service Providers (RDSPs) (not operators of essential services (OESs), who are also subject to the NIS Regulations) and primarily amend the thresholds for determining whether to report an incident to the ICO.

Under the NIS Regulations, a RDSP must report an incident that has a “substantial impact” on the provision of its digital service, which is determined by reference to various parameters and certain thresholds. The thresholds were set out in an EU regulation and at an EU market level. However, after the UK left the EU, the thresholds were not all appropriate for the UK as a standalone market and have been updated. Concerns raised during the consultation stage as to divergence from the equivalent EU rules were outweighed by the need for an incident reporting regime that works for the UK.   

The thresholds have also been moved into ICO guidance. As you would expect, there were also concerns that the ICO could unilaterally amend its guidance and so the thresholds. However, the ICO has committed to consulting on any proposed amendments. Placing the thresholds in guidance also aligns with the approach to setting similar thresholds for OESs.

Full details of the new thresholds are here but, briefly, the impact of an incident should be considered substantial if:

• the digital service was unavailable for more than 750,000 "user hours";
• the incident resulted in a loss of integrity, authenticity or confidentiality of data or services affecting more than 15,000 users in the UK;
• the incident created a risk to public safety, public security or of loss of life; or
• the incident caused material damage to at least one user in the UK that exceeded £850,000.  

The Government commented in its consultation response that very few incidents were being reported by RDSPs. Whatever your view on previous incident reporting levels, it seems likely that there will be greater incident reporting as a result of the new thresholds but watch this space!