Ofcom issues interim NIS guidance
for Operators of Essential Services in the digital infrastructure subsector
24 May 2018
The UK Communications regulator, Ofcom, has published interim guidance for Operators of Essential Services (OES) in the digital infrastructure subsector under the Network and Information Systems Regulations 2018.
Under the regulations, which were made on 19 April 2018 and came into force on 10th May 2018, Ofcom – as the designated competent authority (CA) for the digital infrastructure subsector - must prepare and publish guidance in relation to the digital infrastructure subsector.
This interim guidance is mainly directed to OES. Under the directive Member states are required to identify OES within several key sectors, including digital infrastructure. OES are entities which provide essential services that rely on network and information systems. Those entities which meet those thresholds are “deemed to be designated” as the OES and, as such, are therefore immediately subject to relevant duties in the NIS Regulations. Designated regulators also have powers to designate other entities not meeting those thresholds, provided that certain conditions are met.
Ofcom's interim guidance:
- gives a high-level introduction to the NIS Regulations;
- sets out Ofcom's initial views on the immediate steps we expect the OES in the digital infrastructure subsector to take, as a minimum, to meet their obligations under the NIS Regulations;
- provides information about which types of operators on which duties have been imposed under the NIS Regulations;
- sets out the process and thresholds for reporting relevant security incidents that such operators must initially follow;
- introduces Ofcom's intended initial enforcement approach.
Ofcom as Competent Authority
The NIS Regulations (at Schedule 1) identify Ofcom as the CA for the Digital infrastructure sector.
The NIS Regulations deem certain entities to be OES for the digital infrastructure subsector.
The OES “deemed to be designated” for the digital infrastructure subsector are: -
- Top Level Domain Name Registries (who service an average of 2 billion or more queries in 24 hours for domains registered within the Internet Corporation for Assigned Names and Numbers)
- Domain Name Service Providers (which service an average of 2,000,000 or more requesting DNS clients based in the United Kingdom in 24 hours; or are servicing 250,000 or more different active domain names)
- Internet Exchange Point Operators (IXP Operators who have 50% or more annual market share amongst IXP Operators in the United Kingdom, in terms of interconnected autonomous systems, or who offer interconnectivity to 50% or more of Global Internet routes)
Anyone meeting these criteria on 10th May 2018 is deemed an OES as are required to notify Ofcom by 9th August 2018 of this fact. Anyone meeting the criteria after the 10th May 2018 has a duty to notify Ofcom within three months after the date the criteria was met.
Ofcom has the power to designate an entity as an OES for the digital infrastructure subsector, even if it does not meet any of the above criteria, but only if the following conditions are met:
- it provides an essential service of a kind specified in paragraph 10 of Schedule 2 to the NIS Regulations for the digital infrastructure subsector;
- its provision of that essential service relies on network and information systems;
- Ofcom concludes that an incident affecting the provision of that essential service by that entity is likely to have significant disruptive effects on the provision of the essential service.
Ofcom has said it would likely take a two-stepped approach before designating an entity as an OES: request information from that entity by serving an information notice under regulation 15(4) of the NIS Regulations requiring it to provide them with information needed to assess whether to designate it; and invite the entity to submit any written representations about any proposed decision to designate it as an OES.
OES Security Duties
The NIS Regulations impose the following security duties on designated OES:
- An OES must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.
- An OES must take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of an essential service, with a view to ensuring the continuity of those services.
- The technical and organisational must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed.
- An OES must have regard to any relevant guidance issued by the relevant CA when carrying out their duties.
The guidance says that NIS incident reports should be made via a standard form submitted to firstname.lastname@example.org. These should be made without undue delay (within 72 hours) of the OES becoming aware of a NIS incident.
OES should also provide Ofcom with a general NIS incident contact point for enquiries about incidents it becomes aware of but that have not yet been reported. Ofcom points out that an OES must also take responsibility for notifying other appropriate agencies in the event of an NIS incident.
Penalties & Enforcement
Ofcom states that it currently expects enforcement to be broadly in line with the approach set out in its Enforcement guidelines for regulatory investigations and it will review in due course whether this approach needs adapting.
CAs can impose penalties of up to £17 million for breaches under the Regulations.
Ofcom admits it has had little time and opportunity to finalise any detailed guidance for the purposes of the NIS Regulations, and expects that its initial guidance will need to evolve as they gain a better understanding of the sector
Ofcom also expects the National Cyber Security Centre's Cyber Assessment Framework (CAF) to act as an important tool in its assessment of future OES compliance.
Competent Authorities are strongly encouraged to use the CAF in order to provide consistency across sectors and the UK as a whole
Ofcom may also ask designated OES to assess themselves against the CAF in the last quarter of 2018. This would form part of Ofcom's initial assessment of compliance within the sector and help identify any areas where additional work may be required.