In response to a public consultation earlier this year, the government has confirmed that the Network and Information Systems (NIS) Regulations will be strengthened to protect essential and digital services against increasingly sophisticated and frequent cyber-attacks, both now and in the future.
The UK NIS Regulations came into force in 2018 to improve the cyber security of companies providing critical services. Organisations which fail to put in place effective cyber security measures can be fined as much as £17 million for non-compliance.
But high profile attacks such as Operation CloudHopper, which targeted managed service providers and compromised thousands of organisations at the same time, show the UK’s cyber laws need to be strengthened so that they can continue to protect vital services and the supply chains that they rely on.
Managed Service Providers (MSPs) provide IT services such as security monitoring and digital billing and can have privileged access to their customer’s IT networks. This makes them an attractive target for cyber criminals who can exploit MSP software vulnerabilities to compromise a wide range of clients.
Under the new changes, MSPs, which are key to the functioning of essential services that keep the UK economy running, will be brought into scope of the regulations to keep digital supply chains secure.
The updates to the NIS regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines.
Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the Information Commissioner’s Office. This includes notifying regulators of a wider range of incidents that disrupt service, or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
The updated rules will allow regulators to establish a cost recovery system for enforcing the NIS regulations that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.
The Information Commissioner will be able to take a more risk-based approach to regulating digital services under the updated cyber laws and will be allowed to take into account how critical providers are to supporting the resilience of the UK’s essential services.
See: Cyber laws updated to boost UK’s resilience against online attacks - GOV.UK (www.gov.uk)