DCMS publishes consultation on NIS Directive for Digital Service Providers

By 27th March 2018News, Security

The Department for Digital, Culture, Media and Sport (DCMS) has published a targeted consultation to seek views on how the Government intends to implement the Network and Information Systems (NIS) Directive in relation to Digital Service Providers (DSPs) in the UK. This follows the publication of the Implementing Act for DSPs by the European Commission in January 2018.

The Government states that the UK will define DSPs in the same way as set out in the Directive, which means that DSPs will encompass “online marketplaces”, “online search engines”, and “cloud computing services”.

As the Government has previously stated, the Information Commissioner’s Office (the ICO) will be responsible for regulating DSPs in the UK in the context of the NIS Directive. As part of this role, the ICO will produce guidance to help DSPs establish whether they are in scope of the Directive. The consultation states that the ICO will also, after 10 May 2018 when the Directive comes into force, “establish a system in order for UK DSPs to register themselves with the ICO.” The Government states that this system “is necessary in order for the ICO to know who is required to meet the requirements of the Directive and who they need to regulate”, and that it is considering making registration mandatory.

The ICO will also publish guidance to ensure that DSPs understand their obligations under the Directive. This guidance will take into account the Technical Guidelines for the implementation of minimum security measures for Digital Service Providers published by the European Network and Information Systems Agency (ENISA) in 2017. This, according to the Government, will ensure that there is a consistent approach across Europe.

The ICO, along with the other relevant regulatory authorities, will have the power to recover the costs of regulating the NIS Directive. In this context, the Government expects that the ICO, in line with common practice in other regulations such as the GDPR, will levy an annual fee on DSPs, in addition to recovering direct costs involved in any regulatory investigations. The consultation states that the amount of this fee has not yet been determined and will be published by the ICO in due course.

The closing date for responses to the consultation is 29 April 2018.