Government response to the call for views on proposed legislation amending the Network and Information Systems Regulations 2018
Updated 9 November 2020
1. Contact details
This document sets out the government’s response to the public consultation, Call for Views on proposed legislation amending the Network and Information Systems Regulations 2018 of August 2020.
Comments on the government’s response can be sent to:
NIS Directive Team
Department for Digital, Culture, Media & Sport
4th Floor
100 Parliament Street
London
SW1A 2BQ
Email: [email protected].
Complaints or comments
If you have any complaints or comments about the consultation process you should contact the NIS Directive Team at the above address.
Freedom of Information
Information provided in the course of this consultation, including personal information, may be published or disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA) and the Data Protection Act 2018 (DPA).
The Department for Digital, Culture, Media & Sport will process your personal data in accordance with the DPA and, in the majority of circumstances, this will mean that your personal data will not be disclosed to third parties. This consultation follows the UK government’s consultation principles.
2. Executive summary
In May 2020, the government published its first Post-Implementation Review of the Network and Information System Regulations 2018 (the NIS Regulations). The review’s purpose was to evaluate how effective the NIS Regulations have been in achieving their original objective of improving security standards across critical UK sectors. The review showed that whilst it is still too early to judge the long term impact of the NIS Regulations, organisations in scope are beginning to take steps to improve the security of their network and information systems and that the NIS Regulations are having a positive effect. The Post-Implementation Review also identified several areas of improvement to the NIS Regulations requiring policy interventions from the government, which would enhance their overall efficiency. This ultimately formed the basis of the proposed amendments to the NIS Regulations.
Call for Views consultation
In August 2020, the government published a Call for Views on a proposed Statutory Instrument to amend the NIS Regulations. The purpose of this Call for Views was to gather public views on the proposals to amend the NIS Regulations in the following eight areas:
-
information-sharing powers
-
the provision of information notices
-
powers of inspection
-
strengthening the enforcement regime
-
amendments to the penalty regime
-
the introduction of a statutory appeal route via the First-Tier Tribunal
-
the timelines for Post-Implementation Reviews and
-
sectoral amendments to Schedule 2 and non-UK operators of essential services offering services in the UK
The government received 68 responses to its Call for Views consultation. The responses were generally positive, however a number of respondents highlighted areas of concern and the government has addressed these through changes to the proposed Statutory Instrument where appropriate.
The government believes that these changes will address the concerns raised in the Call for Views and provide further reassurance to industry. The government strongly believes that the Statutory Instrument, as amended, will improve the implementation of the NIS Regulations and help ensure that as a result, the UK’s essential services will become more secure and resilient.
Consultation statistics
The government received 68 substantive responses, 1 letter of support and 2 invalidated responses to its consultation paper, Call for Views on proposed legislation amending the Network and Information Systems Regulations 2018 of August 2020.
Of these responses, 62 were received via the online survey portal and 6 were written responses via email. 46 respondents replied on behalf of an organisation and 22 responses were on behalf of individuals. All but 3 of the responding organisations said that they were within the scope of NIS; 2 organisations answered ‘no’ and 1 organisation answered ‘don’t know’. 6 respondents replied to the Call for Views via email, with 2 being from individuals and 4 being on behalf of an organisation.
The qualitative, open questions from this Call for Views provided helpful insight into the reasoning behind a respondent’s answer and gave the opportunity to provide suggestions, opinions and recommendations.
Many responses showed support for the draft amendments, highlighting the areas of the proposals that respondents approved of, such as changes to the information notices, the need for a Post-Implementation Review in 2022 and the introduction of a new appeal process.
The main theme across the responses received was the request for clarification on a few points in the legislation. These included a description of the exact powers wielded by inspectors and their limits, the explanation of the penalty bands to avoid unfair interpretation, and clarification on what a ‘reasonable request’ was to avoid the unnecessary sharing of an organisation’s sensitive and essential information.
4. Outcomes of the Call for Views
4.1. Information-sharing powers
Q1. To what extent do you agree or disagree with our proposals to improve the information sharing provisions in the regulations?
66% of respondents who submitted an answer to Q1 agreed with the proposals. There were also 27% of responses who said they neither agree nor disagree, with 7% stating that they disagree. There was no significant difference in the responses based on whether they were responding as individuals or organisations.
The qualitative responses were aligned with the statistics above; broadly, respondents agreed with the proposals and indicated that they felt the amendments would increase the ability of the government to share knowledge and best practice and empower authorities to share information in the interest of securing national infrastructure whilst reducing uncertainty around the process of sharing information with law-enforcement authorities to reduce criminal activity in the cyber sector. This, many respondents felt, would lead to improved decision-making in the long term.
The qualitative responses also provided constructive insight with regards to these proposals. Respondents raised points around the extent to which this information will be used, the broad phrasing of the revised legislation and how information will be kept secure under the Regulations. Particularly, it was reiterated that operator of essential services and relevant digital service provider’s data must be kept secure at all times, which some felt may become more difficult through such information-sharing, while others expressed reservations around the inclusion of ‘any other enactments’ in regulation 6(1)(a)(i), which, they felt, may lead to increased scrutiny and regulatory action under different regulations or other legislation.
Respondents, however, were broadly supportive of the inclusion of national security and the ground for information-sharing with law-enforcement authorities.
Government response
The government’s aim is to boost overall cooperation, facilitate knowledge-sharing to improve decision-making and policy development for a more effective implementation of the NIS Regulations, and to clarify the abilities of the competent authorities to understand the wider cybersecurity landscape. With regards to respondents’ concerns around securing information, the Government highlights reasonable steps must be taken to secure information; this is applicable to all NIS competent authorities and public bodies as a matter of course.
Taking this into account alongside the Call for Views consultation feedback, the government fully recognises that it is necessary to maintain trust, confidence and, importantly, the security of information.
Maintaining information-sharing provisions is important to reduce the burden of duplicative activities on organisations during the course of regular engagement for compliance and to facilitate better policy development and understand the threat landscape more effectively. This becomes even more critical where there is a threat to life or a significant risk to UK interests, sovereignty, or security.
In order to address the specific concerns raised, the government has made changes to its proposals. While the provisions in regards to ‘any other enactments’ are meant to implement some of the points referred to above, amendments have been made to the NIS Regulations to address concerns, and the government has included a new provision setting out limitations to the information that may be shared, in the interest of proportionality and reasonableness. The government believes that this will achieve the aim whilst providing clear limits on the scope of the information-sharing under regulation 6.
4.2 Amendments to the provision of Information Notices
Q2. To what extent do you agree or disagree with our proposals to clarify information notices?
The general response to Q2 is largely similar to Q1, with 63% of respondents agreeing with the government’s proposals to clarify information notices and 27% neither agreeing or disagreeing. However this changes based on who was responding; individuals were far less decisive than organisations and were split relatively equally between strongly agree (27%), agree (36%) and neither agree nor disagree (36%).
More in depth qualitative consultation feedback to Q2 acknowledged the benefits of being able to use information more effectively and some respondents mentioned that it improves learning and promotes better decision-making; however, the majority of qualitative responses on this question raised constructive points that the government has since considered in depth.
The general theme emerging from those respondents that disagreed was that the provisions are drafted too broadly, that they may add additional reporting burdens on operators of essential services and relevant digital service providers, and that the legislation does not set appropriate thresholds for what information may be relevant. Respondents were mostly apprehensive about the drafting in regulation 15(2)(b), which states that the competent authority may ask for information ‘to establish whether there have been any events that had an adverse effect on the security of network and information systems, and the nature and impact of those events’ as they feel that it is unnecessarily burdensome on operators of essential services and relevant digital service providers to provide information that is not directly related to a duty or an incident.
However, despite these reservations, the majority of respondents agreed with the proposals to clarify information notices.
Government response
The amendments to improve the drafting of the grounds for information notices were intended to improve the clarity and consistency of NIS implementation across all sectors as the original grounds of issuing an information notice to assess ‘the security of the OES’ network and information security’ were considered to need further clarity with regards to their application.
The government believes it is important to establish that there are proportionate reasons to request information to assess an operator of essential service’s security of network and information systems. This provision was not an extension of the basis of an information notice, but rather a means to clarify its application so that competent authorities can confidently request information that is pertinent and which may have a direct impact on the operator of essential service’s security of network and information systems.
The government’s approach was not intended to create any undue burdens on operators of essential services or relevant digital service providers. However, many respondents expressed views that the amendments may be read as being too open-ended. The government explicitly recognises that competent authorities’ ability to serve an information notice should not extend to ‘anything and everything’ NIS-related. Therefore the provisions in regulation 15 have been redrafted to make it more contained and include language to ensure authorities act with reasonableness - the information requested must be pertinent and authorities must have reasonable grounds for requesting it.
4.3 Powers of inspection
Q3. To what extent do you agree or disagree with our proposals to amend the powers of inspection?
There was a mixed response to Q3. Once again, the landscape changes based on whether respondents are individuals or organisations, with individuals being much more likely to respond positively (55%) to the proposals than organisations (40%) who were less certain.
Furthermore, the rate of answers from organisations who disagreed (40%) with the proposed amendments evenly matched those who agreed, indicating that they were very split on this area of the revised legislation.
Several respondents who agreed with the government’s proposals noted that the amendments added clarity to the expectations of both parties (operators of essential services, relevant digital service providers and inspectors) during any planned inspection, whilst others highlighted that the changes now align the NIS Regulations to other similar legislation that their businesses are already subject to. Furthermore one respondent showed support for the explicit inclusion allowing competent authorities to conduct tests; “the addition of power to conduct tests for the purposes of assessing an OES security level is a sensible amendment to ensure OES systems perform as stated” which boosts overall quality assurance of the NIS landscape.
However, adding explicit provisions did raise significant concerns for some. Several respondents highlighted that there is no apparent limitation to the power of inspectors, with other respondents emphasising that the revised powers appear to be “very sweeping” and “should be limited to only information / documentation relevant to the specific Information Security (sic) breach that is being investigated”.
It was suggested that the proposed legislation is given more proportionate parameters in this area. Other respondents commented that the new power of inspection allowing inspectors to direct operators of essential services to leave systems undisturbed could result in a detrimental impact on the recovery of the service if it is affected post-incident (or during) and could increase commercial and security costs for operators of essential services, relevant digital service providers.
Government response
The government intended this proposal to improve and provide further clarification and transparency to NIS inspections. The aim was to set out more clearly what powers are available to inspectors, instead of relying on the duties of the operators of essential services and relevant digital service providers to assist inspections, which the government believes was heightening the level of ambiguity around what actions inspectors can and cannot take. However, the government recognises the importance of having the appropriate safeguards in the legislation to ensure that the inspection framework is proportionate and reasonable which will provide operators of essential services and relevant digital service providers more confidence and clarity in regards to how inspections would be carried out.
In response to the Call for Views feedback, safeguarding language has been included in the revised legislation to restrict the application to only relevant instances, without affecting the ability of the competent authorities to continue with the proposed inspection framework.
The drafting of regulation 16 was amended to provide appropriate limitations to the actions of inspectors by imposing a duty to act in a reasonable manner. Notably, two new provisions were included to address this feedback: firstly, the Instrument will now require inspectors to take reasonable steps to ensure that the ability of an operator of essential service or relevant digital service provider to comply with their duties is not affected during the course of an inspection, and that inspectors may consult with such relevant persons to ascertain what risks, if any, may arise during the course of an inspection. Secondly, a new provision setting out a duty for competent authorities to protect such information gained through an inspection has been added; this requires enforcement authorities to secure any material, document, or information against unauthorised access, interference, or physical damage. Finally, relevant provisions were added to provide further clarity in regards to the process of removing and returning any relevant documents, in the interest of clarity and consistency and a duty for inspectors to produce proof of identity was also included for this purpose.
4.4. Strengthening the enforcement regime
Q4. To what extent do you agree or disagree with our proposal in regards to strengthening the enforcement regime?
The response to Q4 was also generally indecisive, even more so than Q3. Whilst 41% responded positively, 41% ‘neither agree nor disagree’ and 18% responded negatively.
Individuals are much more likely to ‘neither agree or disagree’ (60%) than organisations (34%), but overall organisations were more likely to agree (38% vs 20%) or disagree (21% vs 10%). The majority of respondents did not explicitly disagree with the government’s proposals.
Those who agreed with the approach to strengthen the enforcement regime noted that the amendments were appropriate as it ensures that organisations actively rectify underlying issues and do not just pay a fine then continue their operations that are in breach of NIS duties. Many respondents agreed with the premise that there has to be an incentive for operators of essential services and relevant digital service providers to comply with the Regulations.
The nature of further qualitative feedback received from those respondents that did not explicitly agree with the government’s proposals was focused on a need for competent authorities to agree timeframes for remediation with operators of essential services and relevant digital service providers. In addition, one particular respondent disagreed with the proposed changes to the enforcement regime because they felt it “is very much in its infancy and has barely had time to bed down” adding that they “question the need to further develop policy that is so far untested”.
Other responses noted that the proposals were welcomed as they “move focus from penalty to practical application of enforcement” and provide additional proportionate levers (i.e civil proceedings) to ensure compliance. One respondent also commented that revising the legislation to allow for multiple enforcement notices to be served simultaneously “provides a mechanism for the Competent Authority to address a number of potential breaches, affording the OES clarity on actions required to remedy”.
Furthermore, during the course of the Call for Views, the government received additional feedback from other government departments and competent authorities which aimed to improve the drafting of both regulations to be more precise, clearer, and have a more consistent framework.
Government response
The main issue that the government sought to address through their proposals is ensuring that the process of issuing enforcement notices is more straightforward, and that the framework is much more clearly set out. The proposed changes clarify how operators of essential services and relevant digital service providers can make representations before any enforcement decision is reached by the competent authority which facilitates a more constructive and transparent conversation between the two parties. The process to seek representations will be flexible so that each competent authority can tailor it to their respective regulatory practice.
To facilitate this, the government has made operational changes to Regulation 17 and 18, based on the fundamental principles of requiring representations before a decision is reached.
4.5. Amendments to the penalty regime
Q5. To what extent do you agree or disagree with the changes proposed to the penalty regime?
Q5 received broad agreement and responses were generally more positive, with 51% agreeing and only 16% disagreeing. The differences between individuals and organisations was similar to Q4 with individuals more likely to ‘neither agree or disagree’ (50% vs 28% of organisations).
However, both individuals and organisations responded positively overall, with 38% of individuals and 55% of organisations agreeing, while 13% of individuals and 17% of organisations disagreed.
Respondents who agreed with the government proposals believed that the changes were a substantial improvement to the existing penalty regime as they facilitate a fairer, more proportionate process which emphasises a more collaborative approach between operators of essential services, relevant digital service providers and competent authorities.
Constructive points raised by the respondents focused on the lack of guidance in relation to how penalty bands will be interpreted, with one respondent who strongly disagreed with the government’s proposals stating that they “consider guidance on the determination of penalty awards to be unsubstantiated and inadequate”.
In contrast, there was overwhelming support for the introduction of the two-stage penalty regime which will increase procedural fairness by giving operators of essential services the opportunity to provide representations before the decision is formalised in a notice. One respondent highlighted that the inclusion of a “two step process is an improvement and emphasises a more collaborative approach” which other respondents believe is a fairer approach and will “enable dialogue” between the operators of essential services, relevant digital service providers and competent authorities, furthering collaboration and improving overall resilience across sectors.
Government response
The financial penalty regime is intended as a means of last resort, when all other measures had failed. The Post-Implementation Review outlined the need to further refine the wording around penalties which the government have looked to reflect in the proposed amendments to the legislation.
In addressing the feedback received during the consultation, the government recognises the need to ensure there is appropriate guidance in regards to how penalties are introduced and the processes used to reach that decision. Competent authorities have a duty to issue appropriate guidance in regards to how they will enforce NIS obligations (and the framework more broadly) and the government believes that further information for operators of essential services and relevant digital service providers is appropriate via that medium.
The addition of a two-stage process will provide organisations in scope with an opportunity to provide feedback on an intention to serve a penalty and the amendments are aimed to provide competent authorities with a better toolset to interpret bands in regards to the needs of the sectors.
4.6. Introducing a statutory appeal route via the First-Tier Tribunal
Q6. Are the General Regulatory Chamber Rules suitable for the handling of appeals against decisions by the competent authorities?
Q6 received no negative responses from either individuals or organisations. However, the most common response was “don’t know” (58%) in which 88% of individuals and 50% of organisations gave this answer. Therefore 42% of respondents answered “yes” indicating broad support for the government’s proposals.
Respondents largely supported the government’s approach to the General Regulatory Chamber as it increases consistency due to aligning with other legal practices that operators of essential services and relevant digital service providers already employ in other areas of business. One respondent highlighted that “the tribunal’s portfolio already includes information rights and electronic communications and seems a natural body for the hearing of appeals from OES under the NIS regulations”.
The majority of those who responded ‘don’t know’ commented that this was either because they felt that technical expertise was required to fully understand the government’s proposals and they had not yet needed to make an appeal so therefore could not evaluate the effectiveness of the current process against the anticipated impacts of the proposed changes.
However, the majority of respondents remain overwhelmingly supportive of the government’s decision to replace the independent reviewer procedure with a statutory appeals process governed by the General Regulatory Chamber Procedure Rules.
Government response
There have been no substantive changes in this section, in light of the positive feedback and lack of any further recommendations or suggestions. However, the government has made slight drafting improvements in the interest of clarity and alignment with the General Regulatory Chamber’s Rules of Procedure.
To this end, the grounds for appealing a decision have been clarified and provisions that are included in the General Regulatory Chamber’s Rules of Procedure, such as the timeframe for bringing an appeal, have been omitted from the instrument, as they will automatically apply.
Q7. To what extent do you agree or disagree with our approach to introducing a statutory appeal route via the First-tier Tribunal?
The majority of answers to Q7 were positive, with approximately 63% of overall respondents agreeing. However a large proportion of respondents answered that they ‘neither agree nor disagree’. The difference in nature of responses between individuals and organisations is minimal, with individuals generally responding more positively.
Respondents who agreed with the government’s approach to introduce a right of appeal, which will be heard by the First-tier Tribunal, noted that the proposal reduces the burden on operators of essential services and relevant digital service providers by having a clear appeals framework, encourages good practice and is an effective function to associate with legislation which, over time, will help to add clarity to the interpretation of the Regulations.
Government response
As outlined in the response to Q6, the government has improved the drafting and removed some unnecessary provisions. It was deemed that no further action was required.
4.7. Timelines for post-implementation reviews
Q8. To what extent do you agree or disagree with changes to the timeline for post-implementation reviews?
Overall, the majority of respondents agree with the proposed changes to the timeline for the Post-Implementation Review. Organisations tended to react significantly positively (60% agree vs 11% disagree) but when it came to individuals, there was a more of a range in answers, with 38% agreeing and 38% disagreeing.
The majority of respondents agreed with the government’s proposals to move to a five-year timeline for Post-Implementation Review. Comments focused on the proposed new timeline being far more appropriate to reliably assess the efficacy of embedded regulatory requirements.
Several respondents raised concerns that the pace of technological change around cyber security and Critical National Infrastructure will not remain in line with the proposed timeline for Post-Implementation Reviews, with one particular respondent suggesting that “a 3 year review seems more reasonable”.
However, the majority of respondents were supportive of longer review periods as they recognised they are likely to bring a period of stability to the regulations which in turn could lead to reducing cost burdens on operators of essential services or relevant digital service providers to keep up with technological and security changes.
Government response
The government believes that the initial two years of review were appropriate at the time of implementation and were needed to closely monitor the implementation of the new legislation. However, in the longer term, as highlighted in the Post-Implementation Review, a more standard review period is preferable, both to reduce the administrative burden of carrying out regulatory reviews and to bring the NIS Regulations into line with common practice.
Recognising that close monitoring of the legislation is needed to keep pace with technological change, the proposals set out a further two years to monitor the application of the current legislation.
While there is nothing in the NIS Regulations that would preclude the government to conduct further reviews in the short term, it is believed that a statutory requirement to publish biennial reports after 2022 would prevent more long-term impacts to be assessed appropriately. In light of this argument no further amendments have been proposed and the 5-year cycle will be retained, leaving the option for reviews to be carried out sooner than 5 years open, if appropriate.
4.8. Schedule II changes and the nomination of a person in regulation 8A
Q9. To what extent do you agree or disagree with the proposed changes to Schedule 2 of the NIS Regulations?
Overall, respondents were indifferent to these changes with an average of 61% of total respondents ‘neither agreeing or disagreeing’. However the average respondent was more likely to agree (30%) than disagree (9%). Individuals tended to respond more positively than organisations (66% vs 23%) who were more likely to be undecided.
The majority of the respondents who answered that they ‘neither agree or disagree’ highlighted that they gave this answer because the amendments in Schedule 2 were not applicable to their own industry, not because they disagreed with the proposals.
In contrast, many respondents showed their support for the need to review the criteria for which organisations fall into the scope of the NIS Regulations as it is clear that the nature of businesses do evolve which could very well affect whether they should be designated or not.
In addition to the online survey, the government received feedback from several competent authorities during the Call for Views consultation period. In particular, the Scottish competent authority recommended some minor changes to the definitions in Schedule 2 in order to more effectively outline the requirements in the Scottish health sector for meeting a designation threshold under the NIS Regulations.
Government response
The government’s intention with this proposal is to clarify and add (where non-existent) definitions to concepts referenced in the NIS Regulations in order to limit the potential of technical misinterpretation and to support competent authorities in the designation process. The definitions and thresholds contained in Schedule 2 are sector specific. The overall aim behind this is to ensure that the right organisations are covered and that the impact of the NIS Regulations is focused on where it is most appropriate.
The government is content that their approach to amending Schedule 2 enables the NIS Regulations to remain flexible, and adapt to the changing technological circumstances in order to remain effective, ensuring that all the right organisations are within the scope of the NIS Regulations.