Cyber Security Practitioner
Back to Contents

Volume: 3 Issue: 11
(November 2017)

ico comments incident reporting rules under nis uks information commissioner elizabeth denham published 10 october 2017 her views rules

Europe EU

Share This Page

ICO comments on incident reporting rules under NIS

The UK’s Information Commissioner Elizabeth Denham published on 10 October 2017 her views on the rules on incident reporting proposed within the European Commission’s (‘EC’) draft Implementing Regulation pursuant to Article 16(8) of the Network and Information Systems (‘NIS’) Directive (the ‘Implementation Regulation’), the consultation period for which ended on 11 October 2017. The Implementing Regulation aims to provide ‘further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.’ Denham, who leads the Information Commissioner’s Office (‘ICO’), which is the UK’s proposed competent authority for the regulation of digital service providers (‘DSPs’) under the NIS Directive, commented that “setting overly rigid parameters […] may be undesirable and may lead to a failure to report incidents which nevertheless have a substantial impact on the users of the service.”

Article 4 of the Implementation Regulation provides a non-exhaustive list of situations according to which an incident would be ‘considered as having a substantial impact,’ which includes instances in which at least one of the following situations has occurred: if a digital service is unavailable for more than five million user hours ‘whereby the term user hour refers to the number of affected users for a duration of sixty minutes,’ if the incident has resulted in a loss of integrity, authenticity or confidentiality of data accessible in a DSP system affecting more than 100,000 users in the EU, if the incident has created a risk for public safety, if an excess of €1 million worth of material damage is caused to at least one user, or if the incident has affected the provision of the services in two or more Member States. The Implementation Regulation also states that companies should draw on the best practice collected by the Cooperation Group on the modalities for reporting notifications of incidents. In her comments, Denham criticises using a numerical method to establish these thresholds, stating that “it would be more helpful to focus on the magnitude of the effect for the users of the service, using the parameters specified in the [NIS] Directive as a guide, with any figures suggested being merely indicative and not prescriptive […] the key parameter might not always be the number of affected users, or the length of time a service was unavailable. It might be helpful to consider whether an interruption to a more critical service should be notifiable at a lower level of interruption, and that less business-critical services could be tolerated to a higher level of interruption, or to a greater number of users. It should be recognised that DSPs may offer a variety of services, and that these may be affected to varying degrees, or not at all, during an incident.”

“The ICO’s comments make a lot of sense,” said Andrew Moir, Partner at Herbert Smith Freehills. “The concept of the ‘user hour’ will lead to long notification periods for outages that might in any event be significant: an outage of a critical system which affected 20,000 users would only be reportable after ten days. Alternatively, a minor incident affecting only two individuals who happen to be in different Member States would be notifiable immediately. As the ICO suggests, a set of factors to assess the magnitude of the effect of an incident, together with guidance from the Cooperation Group referred to in the Regulation, would be sensible.”

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to cyber security practitioner
Subscribe to cyber security practitioner
Register for a Free Trial to cyber security practitioner
cyber security practitioner Pricing

Social Media

Follow cyber security practitioner on TwitterView cyber security practitioner LinkedIn Profilecyber security practitioner RSS Feed