Security requirements
At a glance
- If you are a relevant digital service provider, you are required to take appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed.
- NIS has specific obligations for these measures, which are further detailed by an additional law, the ‘DSP Regulation’. This section of the guide provides more information about these requirements.
- You must implement measures that cover the security of your systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards.
- Many of these requirements align with the security provisions of the UK GDPR. It may also be the case that you are a data controller in any case, so the UK GDPR applies to you anyway.
- You must maintain documentation to evidence your measures. This also aligns with the accountability principle of the UK GDPR, and its provisions on documentation. We can request to see these records during any investigation or inspection.
In brief
- What are the security requirements?
- What considerations must RDSPs have?
- What is meant by ‘security of systems and facilities’?
- What is meant by ‘incident handling’?
- What is meant by ‘business continuity management’?
- What is meant by ‘monitoring, auditing and testing’?
- What about compliance with international standards?
- Are there any documentation requirements?
- Requirement checklist
What are the security requirements?
Part 4 of NIS, and Regulation 12 in particular, outlines the obligations for RDSPs. These include the requirements of an additional law, the ‘DSP Regulation’, which provides specifics on a number of areas.
The primary requirement is detailed in Regulation 12(1). According to this, RDSPs must:
‘identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems’
According to Regulation 12(2), these measures must:
- ensure a level of security appropriate to the risk posed;
- prevent and minimise the impact of incidents affecting digital services; and
- take account of the requirements of the DSP Regulation.
When determining your measures, you are allowed to consider the state of the art – this refers to the state of technological development; in other words, the type of security measures that are available to you. This is similar to the UK GDPR, however with NIS you are not allowed to consider the costs of implementation.
This section of the guide provides an overview of the security requirements for RDSPs. It is based on the DSP Regulation, which has direct effect. We will provide further detailed guidance on these requirements soon. In the meantime, you may find guidance from the European Union Agency for Cybersecurity (ENISA) may assist you.
Other resources
ENISA has published guidance on the technical security measures for digital service providers.
What considerations must RDSPs have?
Regulation 12(2)(c) outlines that when considering your security measures, you must:
‘take into account the following elements as specified in Article 2 of EU Regulation 2018/151:
(i) the security of systems and facilities;
(ii) incident handling;
(iii) business continuity management;
(iv) monitoring auditing and testing; and
(v) compliance with international standards.’
These refer to requirements from the DSP Regulation, which has direct effect. These requirements are detailed below.
What is meant by ‘security of systems and facilities’?
This refers to both the security of your network and information systems, and the physical environment of those systems.
As specified in Article 1(a) of the DSP Regulation, your measures in this area should cover the following:
- systematic management of your network and information systems;
- physical and environmental security measures;
- security of supplies; and
- access controls to systems.
These requirements align with the expectations of the security principle under the UK GDPR, although they differ by specifying a number of elements that RDSPs must take into account when implementing their measures. For example, under the UK GDPR (and if appropriate for your circumstances) we would already expect you to:
- have an overall information security policy, along with specific organisational policies governing risk, data security, human resources, security of operations, encryption, etc., and ensure such policies are implemented by appropriate technical measures
- take into account physical and environmental security when implementing appropriate technical and organisational measures;
- have both technical and organisational access control systems in place to ensure that such access is authorised and restricted to those who need it.
These requirements also align to a number of areas of the Cyber Essentials scheme, particularly in respect of access controls.
What do we need to consider in terms of systematic management of our systems?
You should establish appropriate policies for managing information security, including:
- risk analysis;
- human resources;
- security of operations;
- security architecture;
- secure data;
- system lifecycle management; and
- encryption, where applicable.
What do we need to consider in terms of physical and environmental security?
You should aim to implement a set of measures that protect your systems from damage. You need to address factors including system failure, human error, malicious action (external and internal) and natural phenomena.
What do we need to consider in terms of security of supplies?
You need to establish and maintain appropriate policies so that you know the accessibility and traceability of critical supplies.
What do we need to consider in terms of access controls?
You should have measures in place that ensure both physical and logical access is authorised and restricted based on business and security requirements. This is similar to the well-known ‘principle of least privilege’ – essentially, only those users who need access to a particular area of your premises, or a certain system, should have such access.
What is meant by ‘incident handling’?
Incident handling refers to your procedures for supporting the detection, analysis and containment of any incident, and your follow-up response. Article 2(2) of the DSP Regulation has a number of requirements for incident handling. These must include:
- incident detection processes and procedures;
- processes and policies on incident reporting;
- incident response; and
- incident assessment.
Again, these requirements also similar to what we expect from data controllers under the UK GDPR, although they differ by specifying a number of elements that RDSPs must take into account For example, if you are a controller, we expect you to have (if appropriate for your circumstances):
- appropriate security monitoring processes to detect anomalous behaviour and potential data breaches in a timely manner;
- incident management policies and procedures, including incident handling and response, escalation and analysis;
- a process for regular testing of the effectiveness of security measures, such as by way of vulnerability scanning and penetration testing, and then acting upon the results of such testing; and
- documentation of previous incidents and the existence of a continuous improvement process.
What must we do in terms of incident detection?
You should aim to implement processes and procedures that allow you to have timely and adequate awareness of any anomalous events. You also need to maintain and test these processes.
What must we do in terms of incident reporting?
You should have processes and policies in place on how you will notify the ICO of any incident, and how you identify weaknesses and vulnerabilities within your systems, your environment and your security measures.
What must we do in terms of incident response?
You should ensure that you have an established procedure so that your organisation is able to respond to any incident in an appropriate manner. This should include reporting the results of such measures.
What must we do in terms of incident assessment?
If you suffer an incident, you should have processes in place to enable you to undertake a full assessment of its severity. This should cover incident analysis, collection of relevant information, and the use of this to support a continuous improvement process.
What is meant by ‘business continuity management’?
Article 2(3) of the DSP Regulation requires you to have the capability to maintain or restore the delivery of services to acceptable predefined levels following a disruptive incident. This relates to contingency planning and disaster recovery.
This provision is very similar to the UK GDPR, which obliges data controllers to have the ability to restore access to and availability of personal data following a physical or technical incident.
What must we do in terms of contingency planning?
You need to establish contingency plans to ensure the continuity of your service. You should base these on business impact analyses. You also need to test and assess your plans on a regular basis, eg through exercises.
What must we do in terms of disaster recovery?
You must have recovery capabilities, and be able to test and assess these on a regular basis.
What is meant by ‘monitoring, auditing and testing’?
Article 2(4) of the DSP Regulation requires you to establish and maintain policies and processes concerning systems assessment, inspection and verification.
What must we do in terms of systems assessment?
You must plan and conduct a sequence of observations or measurements to check whether your systems are operating as intended.
What must we do in terms of inspection and verification?
You need to check that:
- your guidelines are being followed;
- your records are accurate; and
- any efficiency and effectiveness targets are being met.
What must we do about processes?
You need to design processes to reveal flaws in the security mechanisms of your systems. This has to include both technical processes, and those personnel involved in operations.
What about compliance with international standards?
The DSP Regulation does not lay down particular requirements for RDSPs in this area. Instead, Article 2(5) clarifies that the meaning of ‘standards’ in NIS refers to:
- standards adopted by an international standardisation body as specified in Regulation 1025/2012; and/or
- any European, national, or internationally-accepted standards and specifications relevant to the security of networks and information systems.
Examples of appropriate standards may include ISO/IEC 27001 on information security management systems and ISO/IEC 22301 on business continuity management systems, and any other related standards.
Other resources
You can access information on the ISO/IEC 27001:2013 and ISO/IEC 22301:2012 standards at the ISO online browsing platform.
Are there any documentation requirements?
Yes. The DSP Regulation requires you to ensure that you have ‘adequate’ documentation available to demonstrate compliance with the above security elements. You will also need to make this documentation available to the ICO if we need to verify your compliance, eg during the investigation of an incident or a follow-up inspection.
If you do not have the required documentation, we can undertake regulatory action against you.
Requirement checklist
Security of systems and facilities
☐ | We undertake systematic management of our network and information systems, and implement policies and procedures on: | |
☐ | Risk analysis | |
☐ | Human resources | |
☐ | Security of operations | |
☐ | Security architecture | |
☐ | Secure data | |
☐ | System lifecycle management | |
☐ | We implement physical and environmental security measures to protect our systems from damage, covering: | |
☐ | Encryption (where applicable/appropriate) | |
☐ | System failure | |
☐ | Human error | |
☐ | Malicious action | |
☐ | Natural phenomena | |
☐ | We establish and maintain appropriate policies to ensure the security of supplies, including: | |
☐ | Accessibility of critical supplies | |
☐ | Traceability of critical supplies | |
☐ | We implement measures to ensure physical and logical access is restricted according to business needs, including: | |
☐ | Implementing the principle of least privilege | |
☐ | Where necessary, establishing secure areas. |
Incident handling
☐ | We have established incident detection processes and procedures to: | |
☐ | Ensure timely and adequate awareness of anomalous events | |
☐ | Testing and maintenance | |
☐ | We have established incident reporting processes and procedures to: | |
☐ | Ensure we notify the ICO and other relevant organisations, eg the NCSC | |
☐ | Identify weaknesses in systems and security measures. | |
☐ | We have established processes and procedures to: | |
☐ | Ensure an appropriate incident response | |
☐ | Test this response and report on the results | |
☐ | We have established incident assessment processes and procedures including: | |
☐ | Incident analysis | |
☐ | Collection of relevant information | |
☐ | A continuous improvement process |
Business continuity management
☐ | We ensure that we have the ability to maintain/restore services to acceptable pre-defined levels by means of contingency planning and disaster recovery | |
☐ | We conduct business impact analyses and use the results to establish contingency plans | |
☐ | We test and assess such plans, eg through exercises | |
☐ | We establish recovery capabilities | |
☐ | We test and assess these capabilities, eg through exercises |
Monitoring, auditing and testing
☐ | We establishing policies concerning systems assessment, inspection and verification, including: | |
☐ | Observations to assess systems are operating as intended | |
☐ | Verification that guidelines are being followed | |
☐ | Ensuring records are accurate | |
☐ | Ensuring that efficiency and effectiveness targets are met. |
Compliance with international standards
☐ | Where appropriate, we follow accepted international standards such as ISO 27001 and/or ISO 22301 |