Considered in Grand Committee
My Lords, these regulations were laid in draft before the House on 26 October. They will make important rectifications to the UK’s network and information systems legislation, which helps maintain the security of key digital services on which British people and businesses rely. Their purpose is to ensure that the Information Commissioner’s Office, in its role as competent authority for digital service providers, is kept informed of serious cyber events that affect digital service providers, comprising online marketplaces, online search engines and cloud computing services.
Before I turn to the provisions set out in this instrument, I will set the scene for the proposals it contains. The Network and Information Systems Regulations implemented the European Union’s security of network and information systems directive of 2016. As a result of our departure from the European Union, certain deficiencies have arisen in the relevant legislation retained under the provision of the European Union (Withdrawal) Act 2018, which this instrument seeks to rectify.
The purpose of the Network and Information Systems Regulations, or NIS regulations for short, is to improve and maintain the security and resilience of essential services, such as transport or energy, within the UK, as well as certain digital service providers. The NIS regulations work by compelling operators of essential services and digital service providers to undertake measures to protect the network and information systems on which their essential or digital services rely from failure through either cyberattack or physical faults.
The NIS regulations are overseen by 12 competent authorities, which act as regulators for essential and digital services across six sectors. Organisations in scope of the NIS regulations must fulfil certain duties, such as having appropriate measures to protect their services and, critically, reporting cybersecurity incidents that have a substantial impact on their services to their competent authority.
Digital service providers, which form one of these six sectors, are regulated by the Information Commissioner, who acts as the competent authority. In other sectors, the factors and incident reporting thresholds, which determine what constitutes a “substantial impact” for the purposes of reporting, are set out in guidance published by the relevant competent authority.
Under the original EU directive and the UK’s subsequent implementation, digital services are treated differently from essential services. They were regulated at an EU level, with one country taking responsibility for the activities of an individual digital service provider across the whole of the European Union. For this reason, the factors to be taken into account when determining whether an incident had a substantial impact for the purpose of reporting were not left to member states but set out in the Commission’s implementing regulation, which applied across the EU market. When an incident reaches this threshold, it must be reported to the relevant competent authority, which regulates that provider on behalf of the European Union.
When the UK left the EU, the Commission implementing regulation remained embedded in UK law by virtue of the European Union (Withdrawal) Act 2018. However, the parameters and thresholds for reporting incidents set by that Commission regulation are no longer appropriate for the UK as an independent state. The most significant issue relating to reporting thresholds is that they were set by reference to the number of users affected or user hours lost. As these had been set with the EU market in mind, they were set at a level that is too high for the smaller UK market. As a result, the Information Commissioner has received only one report of a cyber incident affecting digital service providers since our departure from the European Union.
Under the current scenario, an incident needs to have a noticeable impact on an economy the size of the EU to be reportable in the UK. If the Information Commissioner is not receiving reports of incidents within the UK because the thresholds are too high, they will not have an accurate picture of what is happening in their sector. They will be unable to identify the threat, provide guidance or take necessary enforcement action if the provider is found to have breached its duties to protect its services. It is important, if the legislation is to remain effective, that the Information Commissioner is afforded the ability to set the reporting thresholds at a level appropriate for the UK.
I will now set out in a little more detail how the instrument before us seeks to resolve this deficiency. The key proposed amendment will remove the defective reporting thresholds from the UK version of the Commission implementing regulation. The NIS regulations already allow the Information Commissioner to issue guidance and the Information Commissioner has already carried out a consultation on these thresholds in parallel to the instrument being developed.
The instrument before the Committee strengthens the role of that guidance by adding a provision to the NIS regulations ensuring that digital service providers have regard to that guidance when considering whether an incident has substantial impact and is therefore reportable. The practice of setting these reporting thresholds in guidance is common among all other NIS competent authorities in the country; it is only by virtue of how digital services were supervised across the EU that their reporting requirements were set by an EU regulation.
The approach of using guidance to set the thresholds affords far greater agility to the regulator, allowing the Information Commissioner to respond to new developments and to set levels that are proportionate and not burdensome on the providers or, indeed, her own office. This amendment would bring digital service providers in line with operators of essential services in all other sectors across the NIS framework, ensuring that regulators are able to identify significant incidents affecting key services across the economy and act accordingly.
There are also other minor textual amendments to the NIS legislation resulting from our departure from the EU, such as those that require digital service providers to consider the geographical impact of an incident across the UK, rather than across the EU. The amendments in the instrument are made using the power in Section 8 of the EU withdrawal Act. As the Committee will be aware, such provisions allow only for changes to be made to rectify EU-related deficiencies and not to implement policy changes.
I am content that these changes do not implement a new policy; rather, they make good on a requirement that is already in place—to notify substantial cyber incidents—by ensuring that the thresholds for reporting can be set at a level sustainable for the UK market. The changes do not introduce any new elements to the NIS legislation or make changes to the nature of the duties imposed on digital service providers.
I am certain that the Committee will recognise the significance of supporting the security of digital services for our society—from ensuring that people are able to use the internet securely to protecting the critical digital services that underpin the functioning of our economy.
Having the right legislative framework for deterring those who aim to compromise our systems and providing the necessary tools to help those who become victims of such compromises is vital. Without knowledge of such incidents, we cannot act: regulators and experts cannot provide much-needed support and guidance and we cannot inform others of impending threats.
In summary, the primary purpose of this instrument is to remove the incident reporting thresholds for digital service providers operating in the UK from legislation, allowing the thresholds instead to be set by the Information Commissioner in guidance at a level suitable for the UK economy.
The amendments are small, but nonetheless important to the functioning of our legislative framework. They ensure that the intended objective is achieved, that the policy is better implemented and that regulators have the tools to protect key digital services across our economy. As a result of these changes, the effectiveness of the network and information systems legislation to protect digital service providers will be retained. I commend these regulations to the Grand Committee.
My Lords—well, my Lord—the Minister will be pleased to know that I do not have a lot that I want to say. As I understand it, this SI makes a couple of small changes, as the Minister has said, to retained EU law regulating the security of network and information systems of core UK service providers to reflect that fact that we are no longer part of the pan-EU regulatory regime.
I have just one or two questions. Why, given that the transition period ended almost a year ago, are we debating these changes only at the end of November 2021? While this may not have been day-one critical, one would have hoped that these kinds of cybersecurity issues would have been a priority for the DCMS.
The Government are lowering the reporting thresholds when relevant cyber incidents occur in an attempt to ensure that the Information Commissioner is sighted on them. Can the Minister confirm whether DCMS knows of any incidents occurring earlier in the year that did not meet the current threshold that would have met the revised one had it been in place?
When we discussed amendments to EU-derived regulations for video-on-demand providers in the past, the department conceded that our departure from the EU meant that we had no formal jurisdiction over most of the main players, which were generally registered on the continent. Is there a similar situation with some of the digital service providers or is this not a concern currently?
The Explanatory Memorandum, which I found very clear and helpful, shows that most of the costs associated with the change will fall on the Information Commissioner’s Office. Our understanding is that the Information Commissioner is working well as a regulator, but of course with expanded responsibilities comes the need for greater resourcing. Is DCMS comfortable that the commissioner has enough staff and wider resource to complete these duties?
I turn to my final point. Is alignment with EU practices an issue at all, and do we have a continuing relationship with the EU regulator and regulation? Do we have to work within a commonly accepted framework, even though we are now outside the EU and obviously have to have our own system for regulation, appropriate to the size of our market?
My Lords, I am grateful to the noble Lord for his questions and helpful comments on the impact assessment. He asked why we are doing this now and not sooner. The issue that I outlined at the beginning was not identified as a deficiency until last year, when the Information Commissioner raised concerns over incident thresholds with DCMS—that is why we have brought forward the statutory instrument at her recommendation and in consultation with the ICO.
The noble Lord asked about the ICO’s resources. We are confident that it has the resources, but we will maintain close dialogue with her to keep that under review. We have a continuing relationship with the EU. The matters here obviously cross international boundaries and, despite leaving the European Union, we continue to work with our European neighbours and other international partners on issues such as this. But obviously we have no obligation to implement the new directive that the EU is bringing forward. We are monitoring developments in the EU to assess any impacts that those changes might have.
I am afraid I missed the noble Lord’s second question, but the note I have been handed reminds me that it was on digital service providers. There is now a requirement for non-UK digital service providers to register with the Information Commissioner. As I say, there will be a divergence from EU regulations, but we will continue to follow a similar approach. I hope that answers the questions that he outlined and, on that basis, I commend the regulations to the Committee.
Committee adjourned at 7.37 pm.