the nis regulations for rdsps and other indecipherable
play

The NIS Regulations for RDSPs And other indecipherable acronyms - PowerPoint PPT Presentation

Nov 10, 2022 •1.14k likes •1.69k views

The NIS Regulations for RDSPs And other indecipherable acronyms Jon Langley Senior Technology Officer (Technology Policy) What well be covering What is NIS, and what is it for requirements The ICOs regulatory function How NIS

  1. The NIS Regulations for RDSPs And other indecipherable acronyms Jon Langley Senior Technology Officer (Technology Policy)

  2. What we’ll be covering • What is NIS, and what is it for requirements • The ICO’s regulatory function • How NIS and the GDPR overlap under NIS – and inter-relate • Who’s covered – and who isn’t • Available guidance • How NIS is being regulated – • Resources enforcement, penalties, etc. • Digital services and security

  3. CA SaaS ICO NCSC OES NIS NIS RDSP SPOC IaaS CSIRT GCHQ PaaS Each one is in this presentation somewhere!

  4. What is NIS?

  5. • Key dates: – Finalised: 6 July 2016 Network and Network and – Implementation: 10 May Information Systems Information Systems 2018 (NIS) Directive (NIS) Directive EU 2016/1148 EU 2016/1148 • Brexit? – Required to transpose – UK Government: NIS will continue to apply post- Brexit NIS Directive – originating EU law

  6. • Key date: – In force: 10 May 2018 • Part of the delivery of the UK’s National Cybersecurity Strategy 2016-2021 – A requirement of the NIS Directive NIS Regulations - UK implementing law

  7. What’s it for?

  8. • Three goals: – Address threats posed to essential services – Ensure smooth running of the EU’s internal market – Protect customers and businesses • Is it a cybersecurity law? – Not entirely, but most of it concerns cybersecurity – However it concerns physical and environmental factors too • Including the weather! Purposes of NIS

  9. What are “network and information systems”?

  10. • Three definitions: a) “Electronic communications networks” b) Devices, or groups of connected devices, which perform “automatic processing of digital data” c) “Digital data” stored, processed, retrieved or transmitted by either of the above “for the purposes of their operation, use, protection and maintenance” • BUT: Only in the sectors specified in the Directive! Network and information systems

  11. Who’s covered?

  12. Services that are essential for the functioning of the economy and wider society Operators of essential services (OES)

  13. Online search engines… Online marketplaces… Cloud computing …with a UK head office or services… nominated representative Relevant digital service providers (RDSPs)

  14. • “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found” Online search engines – Regulation 1(2)

  15. • Number of UK- based online search engines? 0 Source: DCMS Examples?

  16. • “a digital service that allows consumers and/or traders to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace” Online marketplaces – Regulation 1(2)

  17. • Total number of UK-based online Not UK-based marketplaces: 2 UK-based, but SME exemption applies Source: DCMS Examples?

  18. • “a digital service that enables access to a scalable and elastic pool of shareable computing resources” Cloud computing services – Reg 1(2)

  19. • Estimated number of UK-based cloud computing services: c. 200 Source: DCMS – but we are checking! Examples?

  20. NIS covers the providers , not the customers Cloud computing service models

  21. • Micro and small enterprises are not covered • Organisations with: – Fewer than 50 staff AND – Turnover or balance sheet of less than €10m • Commission Recommendation 2003/361/EC – Defines SMEs for purposes of EU law – Used in the NIS Directive and reflected in UK NIS Regs SME carve-out – Regulation 1(3)(e)(ii)

  22. NIS: multiple ‘Competent GDPR: one ‘Supervisory Authority’ Authorities’ (to rule them all) DoH/NHS Digital Health ICO DEFRA Water Digital Ofcom infrastructure BEIS Energy Data Data DfT controllers processors Transport ICO RDSPs Multi-regulator model

  23. Single point of contact on security of network • Single Point of Contact & information systems Liaison with other authorities in cross-border • incidents Monitor incidents at national level • Computer Security Provide early warning, alerts, etc. • Incident Response Incident response • Team Risk analysis • Incident notification & communication to CAs • SPOC and CSIRT

  24. What are RDSPs required to do?

  25. Security Incident Registration measures notification

  26. • “Identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems” • “Prevent and minimise the impact of incidents” • Ensure the measures cover: – security of systems and facilities, incident handling, business continuity, monitoring, auditing, testing, and compliance with international standards… Security requirements – Reg 12 (1) & (2)

  27. • RDSPs to notify the ICO of incidents that have: – “a substantial impact on the provision” of their service(s). • Notification: – “Without undue delay” and “no later than 72 hours” after awareness of the incident – Include information on time, duration, nature and impact – RDSPs must assess incidents themselves – Only required to notify if they have access to information to allow the assessment Incident reporting – Reg 12(3) to (7)

  28. • Key info: – Finalised: 30 January 2018 Commission Commission – Applied: 10 May 2018 Implementing Implementing – Has direct effect Regulation on digital Regulation on digital service providers service providers • Specifies: EU 2018/151 EU 2018/151 – Security elements (Article 2) – Parameters for incident assessment (Article 3) – Thresholds for determining the impact of an incident (Article 4) The “DSP Regulation”

  29. • Regulation 12(2)(c) – when implementing their measures, RDSPs must: – Take account of Article 2 (security elements) • Regulation 12(7)(a) and (b) – when assessing if an incident has a substantial impact, RDSPs must: – Take account of the parameters in Article 3 – Assess whether any of the “situations” in Article 4 apply • These are numerical thresholds How is the DSP Regulation reflected in the UK?

  30. • The parameters: – Number of users affected – Duration of the incident – Geographical area affected (number of Member States) – Extent of disruption to the service – Extent of the impact on economic & societal activities • Article 3 provides further information on each – For example, meaning of “duration of the incident” What are the parameters?

  31. • Article 4 – numerical thresholds for when an impact is considered “substantial” – Service unavailable for more than 5m “user-hours” – Incident results in a loss of integrity, authenticity or confidentiality of data or related services, and the loss affects more than 100,000 users in the Union – Incident creates a risk to public safety, security or life – Incident causes material damage to at least one user of more than €1m • At least one must occur. What are the “situations”?

  32. What are the ICO’s functions as a Competent Authority?

  33. Incident Enforcement International notification powers (and co-operation and penalties) investigations And maintain the RDSP register…

  34. • The ICO will: – Receive notifications and investigate cases • With follow-up action where necessary – Share notifications with the NCSC – Inform “relevant authorities” in other Member States – Inform the public (in certain circumstances) – Make annual reports to the NCSC Incident notifications – Reg 12

  35. • Range of powers available: – Information Notices – Powers of inspection Our functions are funded by grant-in-aid for 2 – Enforcement Notices years and then cost – Penalties recovery • These are: – Separate from GDPR/DPA 2018 powers – All post-incident upon incident notification or concerns raised – contrast with OES CAs Enforcement powers – Regs 15, 16, 17 and 18

  36. • Up to: – £1,000,000 – for “any contravention” which “could not cause an incident”. – £3,400,000 – for “material contraventions” that cause Four tiers of incidents which lead to “reduction of service provision” fines – Reg 18 – £8,500,000 – for “material contraventions” that cause incidents which lead to “disruption of service provision” – £17,000,000 – for incidents leading to “an immediate threat to life” or “significant adverse impact” on the economy

  37. • ICO to co-operate and assist CAs in other Member States where: – RDSPs have systems in another state – Digital services located in another state have systems in the UK • Includes: – Sharing information with other CAs – Making requests for enforcement action – Receiving requests for enforcement action International co-operation – Reg 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

document, but ABS expertise to implement the regulations and regulations other acts + env.

document, but ABS expertise to implement the regulations and regulations other acts + env.

Baseline analysis and gaps Do you have an Do you have ABS Do you have Institutional Has a participatory PIC ABS policy in regulations? framework/procedures? processes been defined? place? Cameroon No but fragmented No . But some provisions

350 views • 3 slides
Regulations August 2015 1 Why is EPA making changes to the UST regulations? Establish

Regulations August 2015 1 Why is EPA making changes to the UST regulations? Establish

Overview of Revisions to the Underground Storage Tank (UST) Regulations August 2015 1 Why is EPA making changes to the UST regulations? Establish equity in Indian country for secondary containment and operator training Improve

609 views • 20 slides
Standards and regulations for a better management of risks Plan of the presentation 1. Standards

Standards and regulations for a better management of risks Plan of the presentation 1. Standards

Standards and regulations for a better management of risks Plan of the presentation 1. Standards Regulations Referencing standards in regulations o Prescriptive regulations o Performance-based regulations o 2. Use of standards in policy

682 views • 47 slides
Updates to the Impact Aid Regulations October 4, 2016 Impact Aid Regulations Update New

Updates to the Impact Aid Regulations October 4, 2016 Impact Aid Regulations Update New

10/3/2016 Updates to the Impact Aid Regulations October 4, 2016 Impact Aid Regulations Update New regulations were published on September 20, 2016 Statutory references changed from 8002 and 8003 to 7002 and 7003 Does not include

586 views • 26 slides
Regulations, 2015 1 www.bsestarmf.in SEBI PIT Regulations Certain vulnerability in

Regulations, 2015 1 www.bsestarmf.in SEBI PIT Regulations Certain vulnerability in

SEBI (PIT) Regulations, 2015 1 www.bsestarmf.in SEBI PIT Regulations Certain vulnerability in erstwhile Insider Regulation, 1992 in spite of substantial amendments in year 2002 and 2008. Resulted into promulgation of SEBI PIT

718 views • 9 slides
New Foreign Tax Credit and FTC Splitting Regulations and FTC Splitting Regulations Mastering

New Foreign Tax Credit and FTC Splitting Regulations and FTC Splitting Regulations Mastering

Presenting a live 110 minute teleconference with interactive Q&A New Foreign Tax Credit and FTC Splitting Regulations and FTC Splitting Regulations Mastering Section 909 and 901 Rules to Maximize Efficiencies in Complex FTC Planning

915 views • 66 slides
Workers Regulations Agency Workers Regulations Introductions Debbie Caswell MD North &

Workers Regulations Agency Workers Regulations Introductions Debbie Caswell MD North &

Agency Workers Regulations Agency Workers Regulations Introductions Debbie Caswell MD North & Midlands Sue Jeffery Director Corporate Accounts Agency Workers Regulations A Recap on AWR Agency Workers Regulations Summary of AWR The

530 views • 26 slides
The New Section 503 of the Rehabilitation Act & VEVRAA Regulations Overview Background on

The New Section 503 of the Rehabilitation Act & VEVRAA Regulations Overview Background on

The New Section 503 of the Rehabilitation Act & VEVRAA Regulations Overview Background on Laws and Regulations Effective Dates for New Regulations Why the Changes? Rescinded Regulation Definitions Equal Opportunity

599 views • 23 slides
Topics Current regulations and reporting of outbreaks Major changes to regulations

Topics Current regulations and reporting of outbreaks Major changes to regulations

Conference For Humbaugh 11/07/2014 Healthcare Transparency & Patient Safety 2 Topics Current regulations and reporting of outbreaks Major changes to regulations Definitions Simultaneous reporting of data to both National

348 views • 5 slides
CEE/EHS 597B Class #8: Regulations, Sampling and Reporting Dave Reckhow Regulations

CEE/EHS 597B Class #8: Regulations, Sampling and Reporting Dave Reckhow Regulations

CEE/EHS 597B Class #8: Regulations, Sampling and Reporting Dave Reckhow Regulations Pathogens: treatment technique & surrogates CT Coliforms Turbidity Chemicals: MCLs Pb/Cu Fe/Mn DBPs: THMs & HAAs

597 views • 49 slides
CEE/EHS 597B Class #8: Regulations, Sampling and Reporting Dave Reckhow Regulations

CEE/EHS 597B Class #8: Regulations, Sampling and Reporting Dave Reckhow Regulations

CEE/EHS 597B Class #8: Regulations, Sampling and Reporting Dave Reckhow Regulations Pathogens: treatment technique & surrogates CT Coliforms Turbidity Chemicals: MCLs Pb/Cu Fe/Mn DBPs: THMs & HAAs

715 views • 25 slides
Ne New aspects in MD w aspects in MD regulations regulations in t in the R e Russian Feder

Ne New aspects in MD w aspects in MD regulations regulations in t in the R e Russian Feder

Ne New aspects in MD w aspects in MD regulations regulations in t in the R e Russian Feder ssian Federation ation Amiran Preobrazhenskiy PreobrazhenskiAV@roszdravnadzor.ru The Order of the Ministry of Health of the Russian Federation

218 views • 8 slides
ECONOMIC SUBSTANCE REGULATIONS IN UAE Economic Substance Regulations in UAE Transparency has

ECONOMIC SUBSTANCE REGULATIONS IN UAE Economic Substance Regulations in UAE Transparency has

ECONOMIC SUBSTANCE REGULATIONS IN UAE Economic Substance Regulations in UAE Transparency has been high on government agendas since the global financial crisis and this has resulted in the introduction of a number of tax transparency and

207 views • 9 slides
Library Library Rules Rules and and Regulations Regulations: Existing Situation and Global

Library Library Rules Rules and and Regulations Regulations: Existing Situation and Global

Library Library Rules Rules and and Regulations Regulations: Existing Situation and Global Experience Victoria Moskina and Christina Papule The Artful Plan: a short introduction; an overview of main ideas of guidelines and

376 views • 25 slides
External Insurance Act Judicial Management Regulations Forms & Fees Regulations

External Insurance Act Judicial Management Regulations Forms & Fees Regulations

External Insurance Act Judicial Management Regulations Forms & Fees Regulations Classes of Insurance Business Regulations Capital Requirements for External Insurers, Insurance Managers, External Insurance Brokers 2 This

971 views • 62 slides
Complying with Water Quality Laws & Regulations Arkansas Water Laws & Regulations

Complying with Water Quality Laws & Regulations Arkansas Water Laws & Regulations

Complying with Water Quality Laws & Regulations Arkansas Water Laws & Regulations September 24, 2020 Jordan P. Wimpy Topics to Discuss: Background refresher on Clean Water Act Developments at the federal level WOTUS Step II

791 views • 50 slides
Harmonising health in a Green Brexit Public health messages in responses to Health and harmony:

Harmonising health in a Green Brexit Public health messages in responses to Health and harmony:

Harmonising health in a Green Brexit Public health messages in responses to Health and harmony: the future for food, farming and the environment in a Green Brexit consultation WHO REPLIED? Breakdown of type of organisation responding to the

414 views • 9 slides
AIR QUALITY & PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY & PYTHON TALK OUTLINE

AIR QUALITY & PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY & PYTHON TALK OUTLINE

DOUGLAS FINCH @douglasfinch AIR QUALITY & PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY & PYTHON TALK OUTLINE Who I am/ what I do A case study of using python for science, data analysis & web development Making

297 views • 29 slides
Hauliers & Logistics EU Business Readiness Webinar 4 th October 2019 Border Delivery Group 1

Hauliers & Logistics EU Business Readiness Webinar 4 th October 2019 Border Delivery Group 1

These slides were created for the webinar on 4/10/19 and are not for further dissemination. For the most up to date information, please refer to Gov.UK. Hauliers & Logistics EU Business Readiness Webinar 4 th October 2019 Border Delivery

906 views • 59 slides
AIR QUALITY & PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY & PYTHON ABOUT ME

AIR QUALITY & PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY & PYTHON ABOUT ME

DOUGLAS FINCH @douglasfinch AIR QUALITY & PYTHON: DEVELOPING ONLINE ANALYSIS TOOLS AIR QUALITY & PYTHON ABOUT ME Post-doctoral researcher in the School of Geochemistry SOFTWARE DEVELOPER Background in atmospheric chemistry

476 views • 23 slides
Capacity Building UK Department of Energy and Climate Change Abu Zaki, May 2016 International

Capacity Building UK Department of Energy and Climate Change Abu Zaki, May 2016 International

International Climate Fund and Capacity Building UK Department of Energy and Climate Change Abu Zaki, May 2016 International Climate Fund The purpose of the ICF support international poverty reduction by helping developing countries to

590 views • 23 slides
Henry Leveson-Gower 28 January 2014 This project is part funded by the European Regional

Henry Leveson-Gower 28 January 2014 This project is part funded by the European Regional

Water Abstraction Reform Henry Leveson-Gower 28 January 2014 This project is part funded by the European Regional Development Fund (ERDF) as part of the South East ERDF Competitiveness Programme 2007 2013 Outline Abstraction and why it

182 views • 15 slides
London School of Economics Sustainability in Practice Lectures Positive Deviance: a strategy for

London School of Economics Sustainability in Practice Lectures Positive Deviance: a strategy for

London School of Economics Sustainability in Practice Lectures Positive Deviance: a strategy for our times 14 th January 2010 Sara Parkin Founder Director www.forumforthefuture.org.uk Forum for the Future UKs leading sustainable

320 views • 28 slides
Cyber security Tiered approach to cyber security preparedness in water National Sector

Cyber security Tiered approach to cyber security preparedness in water National Sector

Cyber security Tiered approach to cyber security preparedness in water National Sector What I am Company utilities in the UK going to Water UK good practice cover NIS Directive Dr Jim Marshall, Senior Policy Advisor,

231 views • 4 slides

More recommend