With cyber-security, it can often be confusing around what practices must in place for compliance. When it comes to businesses, those who provide digital services such as search engines or online marketplaces are obliged to meet the NIS (Network and Information Systems) Regulations as well as understand what role the ICO (Information Commissioners Officer) plays as an ‘authority’ for these organisations. So if you are providing a digital service, it is important you are aware of what is required so you ensure correct standards are always being met.
Regulations and Security
NIS regulations ‘intend to address the threats posed to network and information systems and therefore aim to improve the functioning of the digital economy.’ Within this, cyber security plays an important role in terms of what requirements are needed for relevant digital service providers, which include:
- ensuring a level of security appropriate to the risk posed
- preventing and minimising the impact of incidents affecting digital services
- taking account of the requirements of the DSP Regulation.
As well as this, digital service providers must implement measures that cover:
- The security of systems and facilities
- Incident handling
- Business continuity management
- Auditing and testing
- Complying with international standards
To get the full breakdown of what obligations are in place, please refer to the Information Commissioner’s Office.
Reporting an Incident
If your business encounters an incident that has ‘a substantial impact on the provision of your services’, under the regulations, this needs to be reported to the ICO within 72 hours. Substantial impact is decided based on the amount of users affected and the extent of the incident e.g. how far it has spread. There is more information here about when you should report to the ICO. As well as the ICO, businesses can also notify the NCSC (National Cyber Security Centre) who can act as a response team when incidents occur.