Skip to main content

Government conclusions on NIS implementation

Posted by malcolm on Monday, January 29th, 2018 at 13:57

The UK Department for Digital, Culture, Media & Sport (DCMS) has published its response to the replies it received to last year's public consultation on implementation of the Network Information Security Directive (NIS-D). Finding broad support from responders for its proposed approach, it intends to press ahead largely unchanged, but with altered thresholds and adjustments to the penalty regime.

Government conclusions on NIS implementation

In regard to Internet Exchange Points, the government has dropped port capacity as the criterion for identifying essential services; any particular threshold would quickly have become out of date. Instead, the qualifying criteria will be based market share and routing table coverage. An IXP operator will qualify as an essential service if it has:

  • "50% or more annual market share amongst UK IXP Operators in terms of interconnected autonomous systems", or if it 
  •  "offer[s] interconnectivity to 50% or more of Global Internet routes"

The thresholds for DNS providers have also been changed

  • Operators of TLD registries will qualify as operators of essential services if they service an average of 2 billion queries or more per day (threshold unchanged);
  • Operators of DNS resolvers will qualify as operators of essential services if they service an average of 2 million DNS clients per day (changed from 60 million DNS queries per day). Moreover, only resolvers for publicly accessibly services will count, which may exclude some public and academic sector operators.
  • Additionally, operators of authoritative DNS hosting will also be brought into scope of NIS-D, for operators who host 250,000 domain names or more, again for public services.

The penalty regime has been simplified as a straightforward maximum fine of £17 million. This replaces a two-tier structure of up to €20 million or 4% of global turnover for failure to implement appropriate security measures, and €10million or 2% of global turnover for other offences. For many, but not all, of the affected businesses this will be a reduction in their exposure.

Another change is that incident reporting will be viewed as a compliance operation, for the operator to register the existence of a security incident with the regulator, separate from incident response. This is intended to protect the existing co-operative relationship operators have with the National Cyber Security Centre and other government protective services.

The government has also made adjustments to the draft "high level security principles" with which operators will be required to comply, in some cases so as to make the expectation more specifically require a good outcome, rather than merely a good process. 

The government has confirmed that it will proceed with the approach of using sector-specific regulators as the regulator for NIS-D, resulting in having multiple "Competent Authorities". This was broadly welcomed by affected businesses. Accordingly, the NIS-D regulator for Digitial infrastructure (IXPs and DNS providers) will be Ofcom.

With over 770 members connecting from over 76 different countries worldwide, LINX members have access to direct routes from a large number of diverse international peering partners.

© London Internet Exchange, 2018 Registered office: London Internet Exchange Limited, 2nd Floor, Trinity Court, Trinity Street, Peterborough PE1 1DA United Kingdom . Registered in England, Number: 3137929
VAT Registration Number: GB 665 9580 82 Head office main telephone number Telephone: +44 (0)1733 207700 Fax: +44 (0)1733 207729

Web Design by Web Design by Bluestorm Design & Marketing

Leave Feedback

Cookies

This site uses cookies to store information on your computer. Some of these cookies are essential to make our site work and have already been set. By using our site you accept the terms of our Privacy Policy.

×