Tech biz must tell us about more security breaches, says UK.gov as it ponders lowering report thresholds

Breach reporting law might have effect on overseas operators too


The British government wants to make Amazon, Google, and other digital service providers report cybersecurity breaches to the Information Commissioner, according to newly published plans.

Due to Brexit, the government can amend the UK's Network and Information Security (NIS) Regulations to let the Information Commissioner's Office (ICO), the local data watchdog, dictate what kind of cybersecurity breaches must be reported to it.

"The proposal is to revoke Article 4 from the UK retained version of Commission Implementing Regulation 151/2018 (which sets out the thresholds) and allow the Information Commissioner's Office, as the Competent Authority for digital service providers, to set the thresholds at a more appropriate level through guidance," said the government on its consultation page.

Current thresholds set in the UK version of the EU regulation, as published on the Legislation.gov.uk site, are:

  1. the service provided by a digital service provider was unavailable for more than 5 000 000 user-hours whereby the term user-hour refers to the number of affected users in the Union for a duration of 60 minutes;
  2. the incident has resulted in a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via a network and information system of the digital service provider affecting more than 100 000 users in the Union;
  3. the incident has created a risk to public safety, public security or of loss of life;
  4. the incident has caused material damage to at least one user in the Union where the damage caused to that user exceeds EUR 1 000 000

Digital service providers in the EU are regulated by whichever EU member state they are headquartered in. Many pick Ireland for its low taxes on tech multinationals, which has the side effect of Ireland's Data Protection being put under pressure by privacy activists relatively often.

Since Britain left the EU in January this year, however, those laws no longer fully apply. And UK government is keen to make the world's tech companies bend the knee to the ICO by lowering mandatory incident reporting thresholds under the NIS regs.

Backing up government assertions that current thresholds are too high, the ICO confirmed to The Register that just one incident was reported to it under NIS between 2018 and 2020 – and even that one fell below the threshold. A spokeswoman told us: "The ICO has been engaging with the Department of Culture, Media and Sport on this.

"This is a clear deficiency arising from our withdrawal which needs to be rectified to reflect the UK's new position, and the thresholds should be lowered to account for the UK's market."

A previous report from the Department for Culture, Media and Sport (DCMS) reckoned most of the information required by the ICO would "normally be gathered as part of a 'business as usual' response to a security incident."

£40m compliance cost and counting

The NIS regs were created by an EU directive of the same name in 2016, ordering member states to pass laws forcing companies to report incidents including cybersecurity failures. DCMS formally reviewed [PDF] the regs last summer, concluding their mere existence was driving "a longer-term improvement in the security of network and information systems."

At the time UK.gov's minions expected there to be around 1,300 security incidents per year falling within the general scope of the regs, though almost all of these were below the reporting threshold – and many ended up being reported to the NCSC and other government agencies anyway.

DCMS also took credit for costing the private and public sectors a total of £40.2m in "additional security costs" and compliance driven by NIS. Its May 2020 report said "approximately" 43 per cent of orgs covered by the NIS regs were in the public sector – adding that reporting an incident to the ICO costs £54 each time.

The full draft amendments proposed by the government can be read here as a PDF. Page 9 onwards contains the new, lowered thresholds, which appear to be worded so they would also apply to DNS operators outside the UK if they serve more than a certain number of domains registered to UK postal addresses. Oil and gas operators will also be captured if Parliament nods through the amendments.

The public consultation closes on 25 September and details of how to respond are on Gov.UK. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021