Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation  (see consultation here).

A recap of the current UK cybersecurity law: NIS Regulations

One of the key pieces of cybersecurity legislation in the UK is the Network and Information Systems Regulations 2018 (NIS Regulations), which implemented the EU Cybersecurity Directive 2016 prior to Brexit.

Under the NIS Regulations, businesses who provide certain essential services (referred to as operators of essential services, or OES) and relevant digital service providers (RDSP) are required to register with the relevant competent authorities; meet a baseline level of cybersecurity requirements; and report any incident which has a significant impact on the continuity of the essential services.

Key changes under consultation

The UK government’s proposal consists of three pillars:

  • broadening the scope of existing UK Cyber security framework;
  • modernising the NIS Regulations; and
  • introducing standards for cyber security professionals.

The proposals are likely to have a profound impact on businesses that provide IT and related services and are dependent on IT and technology vendors. We summarise the proposals below.

Managed service providers will be caught by the NIS Regulations

Under the proposal, managed service providers will be added to the list of RDSPs and become subject to the obligations set out above.

Broadly, managed service providers are currently defined as external suppliers who 1) provide ongoing B2B service management of data, IT infrastructure, IT networks and/or IT systems; and 2) rely on network and information systems in its delivery of the services.

Examples currently set out in Annex 1 of the proposal include online security or technology advisory service providers, managed security operations center providers, and suppliers who provide data analytics, automation and management services.

A two-tier supervisory regime for RDSPs

The UK government is further proposing to establish a two-tier supervisory regime for RDSPs, with the ICO being expected to assume a more proactive role to supervise the most critical digital services, while maintaining a more reactive role to supervise the remaining RDSPs with a lighter-touch approach.

The criteria used to identify the most critical providers will be open to consultation by the ICO. At this stage, the government is considering the use of a list of relevant factors, and examples of how these factors could be applied in practice. While some of the criteria, such as revenue, may be easier to measure, the application of others (e.g. the level of dependency of the clients on the service) would give rise to uncertainty.

Delegated power to update the NIS Regulations in the future

With a view to keeping the NIS Regulations up to date with industry and technology developments, another key element of the proposal is for the government to have the power to bring additional sectors within the scope of the regulation. The list of sectors the government is considering include electric vehicles, data centres, demand response services (e.g. electrical chargepoint operators), and pharmaceutical and medical devices used in healthcare.

In addition to the power to extend the NIS Regulations to additional sectors, the proposal also looks to grant the government the power to designate critical suppliers or services on which the existing OES and RDSPs depend. The minimum criteria of such critical dependency include that an incident affecting the supply of that service is likely to have “significant disruptive effects” on the provision of the essential service. Effectively, it means that suppliers to those entities other than managed service providers could also be caught by the NIS Regulations.

Expanded incident reporting duties

The proposal also looks to expand the incident reporting requirements to those that pose a significant risk to the security and resilience of the essential services, even where the incident does not actually affect the continuity of the service directly. For example, a ransomware attack may not always have a direct effect on the critical service, but the attack could leave the relevant business vulnerable to future cyber security risks that could impact the continuity of the service. Whilst the proposal is sensible from a business continuity perspective, it gives rise to further over-reporting to the competent authorities.

What to expect next?

You can provide your feedback on the proposed reform via the government’s online consultation system. The consultation will close on 10 April 2022.

While the EU’s cybersecurity reform has focused more on expanding the scope of the NIS Directive to other sectors, the UK government’s proposal has, at least for now, focused its attention on key suppliers to the essential service providers.

If implemented, IT service providers and other critical digital service providers will essentially share the regulatory obligations with the essential service providers under the NIS Regulations, which does help to address the issue that many customers may not have the resource and knowledge to continuously monitor the cyber security practices of their suppliers.

However, with several key definitions and criteria yet to be finalised, the reform is still in its early days. What is clear is that regulators and legislators across the world (see recent proposals in the US here) are looking to enhance cyber security legislation and the landscape will become increasingly complex.