The government is to press ahead with a series of reforms and updates to the Network Information Systems (NIS) regulations of 2018, which it claims will strengthen them to better protect the UK’s critical national services from cyber attack by bringing providers of outsourced IT and managed service providers (MSPs) into scope.
The NIS regulations were introduced to improve the cyber security of companies that provide critical services, such as energy, healthcare, transport or water, backed by fines of up to £17m for failure to comply.
The government now wants to add further protections for such organisations by extending cover to outsourcers and MSPs and secure the UK’s vital supply chains. The move follows a public consultation after the proposals were outlined in January 2022. The response to this consultation can be found here.
The government said high-profile attacks such as Operation CloudHopper – a Chinese cyber espionage campaign that targeted cloud MSPs between 2016 and 2018 – had shown the UK’s cyber security laws need to be strengthened to protect the services that essential services rely on.
Cyber minister Julia Lopez said: “The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states. We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers that keep them running.”
Paul Maddinson, director of national resilience and strategy at the National Cyber Security Centre, added: “I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security.
“These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely.”
Alongside the extension of the NIS regulations, the government intends to introduce new requirements for organisations in scope to improve their cyber incident reporting through sector regulators such as Ofcom or Ofgem and the Information Commissioner’s Office (ICO).
This will include mandatory notification across a wider range of disruptive incidents, or high-risk incidents even if they are not disruptive.
The rules will also allow regulators to establish a cost recovery system for enforcing the regulations that is more transparent and accounts for factors such as the wider regulatory burdens they face, the idea being to try to reduce the cost to the public purse, and allow for the ICO to take a more risk-based approach to regulating digital services.
Also, the government will give itself the power to further amend the NIS regulations – which ultimately derive from European Union law – should the need arise in future.
Carla Baker, senior director of public policy for the UK and Ireland at Palo Alto Networks, commented: “Palo Alto Networks supports the development of an agile policy framework to reduce cyber security risks to our economy and society.
“We welcome the opportunity to engage with the UK government as it reviews the legislation and develops guidance for industry to enhance cyber resilience and combat the risk that malicious actors pose to the UK’s national security.”