The UK Network and Information Systems (NIS) Regulations 2018 will be strengthened in an effort to protect essential and digital services. On 30th November 2022, the UK government published its response to the public consultation on proposals to improve the UK’s cyber resilience. As the UK is no longer bound by EU legislation, it will not be implementing the NIS 2 Directive, recently adopted by European Parliament and Council. However, the frequency and scale of cyber incidents and consequent increased risk of severe damage has prompted change to UK cyber laws as well.
What are the changes?
- Managed service providers (MSPs) will be brought into the scope of NIS Regulations. MSPs provide IT services such as security monitoring, incident response and digital billing. As part of providing these services MSPs may have privileged access to customer’s IT networks. Bringing MSPs within scope aims to keep digital supply chains secure.
- Characteristics of MSPs
- The managed service:
- is provided by one business to another business;
- is related to the provision of IT services, such as systems, infrastructure, networks and/or security;
- relies on the use of network and information systems, either of the provider, their customers or third parties; and
- provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network and/or security.
- Detailed guidance will be provided by the ICO once the proposals come into effect.
- Essential and digital services currently caught by the NIS Regulations will be required to notify regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service (but have not actually affected the continuity of the service directly). The challenges around identifying exactly when this expanded reporting duty would apply has been highlighted in the consultation. Detail on reporting thresholds and what will need to be included in an incident report will be included in guidance to be prepared by the regulators in collaboration with the National Cyber Security Centre (NCSC) and regulated bodies.
- The UK government will also have the power to amend the NIS Regulations in the future to ensure it remains effective, in consultation with the public. New sectors may be brought into scope if they are deemed to be critical to the UK’s economy.
- The ICO will take a more flexible, risk-based approach to regulating digital services and will be able to take into account how critical providers are to supporting essential services. The ICO will be responsible for producing any guidance on how it will regulate digital services using this approach.
- The exemption for small and micro businesses will largely be maintained, although the ICO will have the power to designate specific small and micro digital service providers to be within the scope of the NIS Regulations if they are deemed systemically critical to the UK’s critical services or national security.
The government intends to implement these changes as soon as parliamentary time allows. Whilst the UK changes are less far ranging than the widening of scope introduced by NIS 2, the divergence between the EU and UK cyber laws means we will see dual regulation for organisations operating in the EU and UK.