Non-UK-headquartered cloud providers (including SaaS) and online marketplaces that offer services in the UK should consider (1) appointing a UK representative under the UK NIS Regulations this month, i.e. during April 2021, and (2) reviewing their security measures and incident reporting policies/procedures for NIS compliance. ("NIS" stands for "network and information security systems" including associated data such as personal data, but is often used to refer to EU NIS laws.)
UK-headquartered SaaS providers should also consider registering with the ICO during April 2021.
What do the NIS Regulations involve?
Changes to the UK's NIS Regulations took effect on 31 Dec 2020 and 20 Jan 2021, but may have been overshadowed by the intense focus on Brexit. Implementing the EU's NIS Directive, they remain in place post-Brexit. They imposed requirements regarding (1) security measures and (2) incident reporting on "digital service providers" (DSPs), including cloud providers and online marketplaces. The ICO (Information Commissioner's Office) is the competent authority under the UK NIS Regulations. "Relevant digital service providers" (RDSPs) must register with the ICO and report notifiable NIS incidents within 72 hours absolute (not just where feasible). NIS is separate from the GDPR and fines under both laws are theoretically possible.
How do the NIS Regulations apply to SaaS services?
It's generally accepted (including by the ICO) that IaaS/PaaS providers are caught by NIS laws. However, SaaS providers have tended to take a risk-based approach to UK registration, for three main reasons. Firstly, registration can put the provider on the regulatory radar (though there's no registration fee for NIS, and the register is not public). Secondly, UK non-registration was not subject to a fine (it may be now, see later). Thirdly, the ICO states SaaS services are caught "only to the extent that they provide a scalable and elastic pool of resources to the customer". Accordingly, some SaaS providers argue their services are not "cloud computing services" within NIS, because they do not enable access to a "scalable" and "flexible" pool of shareable computing resources. Others (particularly technical experts) might consider that cloud services, including SaaS, by their nature "respond to increases in demand or changes in workload" as per ICO guidance. Certainly the general trend is to toughen up security rules for cloud providers generally: the EU's planned NIS 2 Directive will move cloud computing service providers "up" into the "essential" digital infrastructure category.
Factors SaaS providers have considered, in deciding whether to register, include how important their services are to the UK economy/society, particularly the extent their services are provided to, even relied on, by customers (termed "operators of essential services" or OESs, under NIS) to provide critical infrastructure services in the UK.
But even when providers of SaaS services in the UK choose not to register with the ICO, it is still advisable for them to check and document their compliance with NIS under the NIS Implementing Regulation (a form of "accountability", which is not difficult to do for providers that already follow good security practices), and to consider building NIS notification/reporting into their incident response plans, not just GDPR notifications.
What's changed in the UK?
Three key NIS Regulations updates have changed the landscape for those providing "digital services" in the UK, including SaaS providers.
Non-UK providers - UK representative. Firstly, Reg.14A, a Brexit-related provision which took effect 20 Jan 2021, requires those already offering digital services in the UK, but without head offices in the UK, to nominate a UK representative and notify the ICO "within three months of the date on which these regulations come into force" (except small/micro enterprises). Non-compliance could be fined up to £1m (Reg.18(6)(a)). The "three months…" wording causes uncertainties. Strictly, "these regulations" (i.e. the original NIS Regulations) came into force in 2018! Rather than an impossible obligation to "backdate" UK representative appointments/notifications, surely this must be read as, three months from when that change took effect (20 Jan 21) i.e., for non-UK-headquartered cloud providers/online marketplaces offering services in the UK, a deadline of 19 Apr 2021.
Top fines in more situations. Secondly, from 31 Dec 2020 the NIS fines risk has significantly changed. Previously, the highest possible UK NIS fine ("penalty"), of £17m, could be imposed "for a material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the United Kingdom economy". Now, that top level fine can be imposed for "a material contravention which the NIS enforcement authority determines has or could have created a significant risk to, or significant impact on, or in relation to, the service provision by the OES or RDSP". In short, theoretically the top-tier fine may now be imposed for a security breach which significantly affects service provision, i.e. the availability of the service itself – regardless of the service's importance (or not!) to the UK economy. So, service outages (presumably only where affecting UK users) could incur a large fine.
Fine for not registering? For providers of cloud services/online marketplaces with UK HQs, it is now uncertain whether non-registration may be fined, because of changes in how and when fines can be imposed (previously, only following an enforcement notice for breach of stated provisions, not including the registration requirement). The updated Regulations did not follow through on those changes, so it is not impossible that non-registration could now be fined as a "contravention" (up to £1m), to give meaning to that lowest tier for fines. But, for those already providing digital services in the UK, the deadline for registration has been and gone – it was in 2018.
Are there any rays of light?
As flagged above, small/micro enterprises are exempt (fewer than 50 staff and an annual turnover and/or balance sheet below €10 million) – but the ICO includes the larger group's staff and turnover size when assessing this exemption, so many groups will not be exempt.
There's a possible loophole for non-UK digital service providers. The UK Regulations' private sector obligations apply only to RDSPs (and OESs). So, only RDSPs can be fined – not other DSPs. However, an RDSP is "a person who provides a digital service in the United Kingdom and satisfies the following conditions— (i) the head office for that provider is in the United Kingdom or that provider has nominated a representative who is established in the United Kingdom…" (with small/micro exemption) – Reg.1(3)(e). Now, if a non-UK-headquartered DSP chooses not to appoint a UK representative, then strictly it is not an RDSP and the UK NIS Regulations don't apply to it! This is surely a drafting oversight which the ICO (and any inspectors – inspection powers have expanded too), and even UK courts, might ignore in practice, given the Regulations' legislative objective. (Another oversight, perhaps due to Brexit resourcing issues – Reg.12 on security requirements still refers to digital services within the EU, rather than UK.)
It does assist RDSPs that a NIS fine can be imposed only if the ICO considers it warranted in the facts and circumstances of the case, of an amount the ICO determines is "appropriate and proportionate" to the failure, with the 3 tiers of ceilings now stipulated by the Regulations (Reg.18(1), (3B), (5)).
The DSP dilemma in practice
Those offering cloud services (including SaaS) or online marketplaces in the UK now face some dilemmas. It's unclear how or where the ICO draws the line between "scalable and flexible" and not "scalable and flexible". It could take a different view than a DSP, particularly with hindsight after an incident.
If a UK DSP had not registered previously but registers now, the unclear wording of the updated Regulations means it could be fined for late registration. If a UK DSP doesn't register with the ICO but later suffers a notifiable NIS incident, should the ICO decide the relevant service was in scope the DSP could be fined for not notifying the incident, perhaps for security failures that led to the incident (both could be "material contraventions" – ceilings of £8.5m or even £17m depending on how service provision was or could have been affected), and possibly for the non-registration. If it decides to report a notifiable incident to the ICO despite not being registered, it could be fined for security failures and non-registration, but at least reporting within the NIS deadline would avoid a fine for non-notification. This decision is likely to be influenced by reputational and other considerations, e.g. if the incident was already in the media or notified to the ICO by a third party, the ICO's attitude may be less unfavourable if the DSP had itself notified the ICO under NIS.
Some non-UK DSPs might take a robust approach and not appoint/notify a UK representative so as not to become an "RDSP" under the Regulations' current wording, and argue the RDSP point should it later arise. But, in case a purposive interpretation of the Regulations is adopted, other non-UK DSPs might wish, in deciding whether to appoint/notify a UK representative, to consider the factors that UK DSPs must now consider in relation to registration.
Dear ICO, pretty please?
Until the UK government finds time to amend the NIS Regulations to clarify the uncertainties raised above, hopefully the ICO will issue guidance to address these specific problems. Perhaps the ICO could opine on whether non-registration is now finable, but offer an amnesty period whereby it agrees that it will not fine any DSPs that register or appoint a representative by say the end of May 2021? (given the uncertainties regarding the deadline for UK representatives under the updated Regulations). Expanding on the extent to which the ICO considers SaaS services are in scope, beyond repeating the wording of the NIS Directive/Regulations, would also be very welcome.
Sign up to our email digest