NISD Regulations / NISD:
The NISD was implemented in the UK on 10 May 2018 by the NIS Regulations. The NIS Regulations applies to Operators of Essential Services (OES), and Digital Service Providers (DSPs).
- OES are organisations (public or private) within vital sectors that provide services essential to the economy and society which place a heavy reliance on information networks.
- OES are operators in the following sectors that meet certain threshold requirements:
- sector (energy, transport, health sector, drinking water supply and distribution and digital infrastructure);
- subsector – specific elements within an individual sector;
- essentials service – describing the specific type of service;
- identification thresholds – size or impact of incident.
- Banking and financial markets infrastructure are omitted as they are already in subject to equivalent regulatory requirements.
- A DSP is an organisation that:
- provides a digital service in the UK as a search engine, online marketplace or cloud computing service; and
- has a head office or a nominated; and representative who is established in the UK; and
- is not a micro and small enterprise.
Both OES and DSPs must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems. These measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed.
Communications Act 2003 (CA):
The CA provides that Public Electronic Communications Network (PECN) providers and Public Electronic Communications Service (PECS) providers take technical and organisational measures to manage risks to the security of PECNs and PECSs.
Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) / ePrivacy Directive:
The ePrivacy Directive was implemented in the UK on 11 December 2003 by PECR, and has been amended several times.
PECR compels PECS providers to take technical and organisational measures to ensure the security of its services by restricting who can access personal data and protect the way it is stored or transmitted.
Data Protection Act 2018 (DPA) / UK GDPR:
The DPA / UK GDPR applies when personal data is being processed, and imposes obligations:
- on controllers to process personal data in a manner that ensures appropriate security of the data (‘integrity and confidentiality’) (Article 5(1)(f), UK GDPR);
- on controllers to observe data protection by design and default principles when building systems and processes (Article 35, UK GDPR);
- on both controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32, UK GDPR); and
- in certain circumstances, on controllers to report personal data breaches to data protection authorities (Article 33, UK GDPR) and inform affected individuals (Article 34, UK GDPR); processors are obliged to inform the controller if they become aware of a breach (Article 33(2), UK GDPR).
Computer Misuse Act 1990 (CMA):
The CMA does not impose security obligations on businesses or individuals as such, but creates various cybercrime offences, criminalising acts such as unauthorised access or interference with a computer.
eIDAS Regulation / UK eIDAS Regulation:
The eIDAS Regulation came into effect on 1 July 2016 and has been transposed in UK law. It is supplemented by additional requirements in the UK eIDAS Regulation.
The eIDAS Regulation provides a framework which allows people and businesses to use electronic identification to access online public services in other EU Member States. It also sets out requirements for trust services, setting out what trust service providers need to do in order to gain qualified status, and allows them to use an EU trust mark.
In practice, if a UK trust service provider, should assume that it still needs to comply with eIDAS rules. UK trust service providers providing trust services in the EU, may also still need to comply with EU eIDAS law in EU member states.