Infrastructure providers should re-examine their contracts under the lens of NIS

Companies must inform the ICO of incidents, but that doesn't apply to their cloud providers

Critical infrastructure providers (CIPs) who are affected by the Networking and Infrastructure Security (NIS) Directive should update their cloud provider contracts as soon as possible, warned Dr Kuan Hon of Fieldfisher at Computing's Cloud & Infrastructure Live! event last week.

NIS is a new EU directive (it is only enforced in countries that have implemented it: the UK is one) that applies to providers in the energy, transport, healthcare, water and digital infrastructure markets - and also to 'digital service providers' (DSPs) like cloud providers.

Under the terms of the directive, these providers must protect their NIS systems and report any incidents that affect these systems to the regulator - in the case of DSPs, the ICO - within 72 hours, as an absolute deadline.

Although this is similar to the GDPR, that regulation requires incident reporting within 72 hours ‘where feasible'.

"Under NIS - and this applies to critical infrastructure operations as well - it's 72 hours maximum… DSPs and critical infrastructure operators will have to be geared up to report within 72 hours," says Hon.

A potentially dangerous stipulation in the Directive is that DSPs must report any incidents that have "a substantial impact on the provision of [their] digital service in the EU."

If CIPs rely on a cloud provider for any of their critical services, the CIP must notify about incidents at the cloud provider that significantly affect a critical service - but the cloud provider has no legal obligation to notify its critical infrastructure clients.

"You could be fined for not notifying about incidents at your cloud provider! This really means that, from a practical level, you must make sure that your contracts with your cloud provider make them notify you of incidents, because you can't notify your regulator without your provider notifying you."

Some incidents at a cloud provider are obvious - if nothing works, then something has obviously gone wrong. However, others are more subtle and could affect a service without being immediately apparent; this makes updating contracts to ensure that a provider is legally bound to notify you as a client very important.

Hon noted that that "The UK government is taking quite an expansive view of ‘significant impact'; so, for example, something affecting billing or payment services might actually have a significant impact on a critical infrastructure service - you have to bear all of that in mind."