The British government wants to make Amazon, Google, and other digital service providers report cybersecurity breaches to the Information Commissioner, according to newly published plans.
Due to Brexit, the government can amend the UK’s Network and Information Security (NIS) Regulations to let the Information Commissioner’s Office (ICO), the local data watchdog, dictate what kind of cybersecurity breaches must be reported to it.
“The proposal is to revoke Article 4 from the UK retained version of Commission Implementing Regulation 151/2018 (which sets out the thresholds) and allow the Information Commissioner’s Office, as the Competent Authority for digital service providers, to set the thresholds at a more appropriate level through guidance,” said the government on its consultation page.
Current thresholds set in the UK version of the EU regulation, as published on the Legislation.gov.uk site, are:
Digital service providers in the EU are regulated by whichever EU member state they are headquartered in. Many pick Ireland for its low taxes on tech multinationals, which has the side effect of Ireland’s Data Protection being put under pressure by privacy activists relatively often.
Since Britain left the EU in January this year, however, those laws no longer fully apply. And UK government is keen to make the world’s tech companies bend the knee to the ICO by lowering mandatory incident reporting thresholds under the NIS regs.
Backing up government assertions that current thresholds are too high, the ICO confirmed to The Register that just one incident was reported to it under NIS between 2018 and 2020 – and even that one fell below the threshold. A spokeswoman told us: “The ICO has been engaging with the Department of Culture, Media and Sport on this.
“This is a clear deficiency arising from our withdrawal which needs to be rectified to reflect the UK’s new position, and the thresholds should be lowered to account for the UK’s market.”
A previous report from the Department for Culture, Media and Sport (DCMS) reckoned most of the information required by the ICO would “normally be gathered as part of a ‘business as usual’ response to a security incident.”
£40m compliance cost and counting
The NIS regs were created by an EU directive of the same name in 2016, ordering member states to pass laws forcing companies to report incidents including cybersecurity failures. DCMS formally reviewed [PDF] the regs last summer, concluding their mere existence was driving “a longer-term improvement in the security of network and information systems.”
At the time UK.gov’s minions expected there to be around 1,300 security incidents per year falling within the general scope of the regs, though almost all of these were below the reporting threshold – and many ended up being reported to the NCSC and other government agencies anyway.
DCMS also took credit for costing the private and public sectors a total of £40.2m in “additional security costs” and compliance driven by NIS. Its May 2020 report said “approximately” 43 per cent of orgs covered by the NIS regs were in the public sector – adding that reporting an incident to the ICO costs £54 each time.
The full draft amendments proposed by the government can be read here as a PDF. Page 9 onwards contains the new, lowered thresholds, which appear to be worded so they would also apply to DNS operators outside the UK if they serve more than a certain number of domains registered to UK postal addresses. Oil and gas operators will also be captured if Parliament nods through the amendments.
The public consultation closes on 25 September and details of how to respond are on Gov.UK. ®