Protecting critical services and infrastructure from cyber incidents is a key priority for legislators on both sides of the channel. We heard last month how the EU is expanding the scope of its Network and Information Systems (NIS) regime to cover new sectors (see our blog). In the UK, the Government has now published its response to a consultation on proposals for legislation to improve the UK’s cyber resilience. These proposals, which focussed on amending the UK’s NIS rules, were largely supported in the consultation feedback. The Government is therefore proceeding with its plans, subject to a few tweaks to reflect issues raised in the consultation process.
It is worth noting that these changes diverge from the EU’s approach, impacting organisations who fall under both NIS regimes. Also, we do not yet have the full picture, as much of the detail regarding these changes will be provided at a later date, through guidance or secondary legislation.
What does the NIS regime do?
The NIS Regulations 2018 promote the security of networks underpinning the UK’s essential and digital services. Amongst other things, they impose security and incident notification obligations on operators of essential services in sectors such as health, transport, energy and water and on certain digital (e.g. cloud) service providers (DSPs).
What did the proposals cover?
The Government had proposed seven policy measures split across two pillars.
The pillar 1 proposals looked at amendments relating to DSPs – for example, expanding the digital services regulated under the NIS regime to include managed services (e.g. IT outsourcing services) and introducing a two tiered supervisory regime for DSPs.
Pillar 2 focussed more on how to future proof the UK’s NIS regime. This included providing ministers with powers to update the NIS Regulations through secondary legislation (provided there was no scope expansion) and to bring new sectors and sub-sectors in scope. There were also plans to expand the current incident reporting duties to include incidents which pose a significant risk even if they do not affect the continuity of the service directly, and to allow the Government to designate critical suppliers/services on which current in-scope organisations depend, effectively bringing key parts of their supply chain under the remit of the NIS regime.
While the majority of these proposal were supported by respondents to the consultation, some concerns were raised. For example, regarding the proposal to:
- bring “managed services” in scope as a DSP: the original proposals included a set of characteristics for in-scope managed services and a list of example services. Following consultation feedback, both were slightly amended (for example to remove a requirement that the service relied on the provider’s own network and information system). The updated characteristics are now that the managed service: (i) is provided by one business to another business (i.e. a third party); (ii) is related to the provision of IT services, such as systems, infrastructure, networks and/or security; (iii) relies on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties; and (iv) provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or security. This criteria would not cover software developers or data centres, although the Government is carrying out a review of the security and resilience of the latter. Also, certain data centres may already be in-scope, if for example they are used by cloud service providers. In addition, the Government confirmed that when these proposals come into effect, the ICO (as the DSPs regulator) will set out detailed guidance on the characteristics of in-scope managed service providers;
- introduce a two-tier supervisory regime for DSPs: the proposals set out a proactive supervisory regime for the most critical digital services, and a reactive one for the rest. Respondents to the consultation noted that including criteria for a tiered regime in legislation could be problematic and the Government is therefore considering whether a more flexible, risk-based assessment would work better. It plans to implement these changes through non-legislative means - for example, the ICO will produce guidance on how it will regulate digital services using a risk-based approach;
- provide ministers with the power to add new sectors and subsectors: the Government acknowledged, following concerns raised in the feedback, that the new powers needed safeguards and also that consultations would take place ahead of any changes. It also noted that it is committed to conducting post-implementation reviews of the NIS Regulations which provide important evidence around which sectors should be considered. The last one took place earlier this year (see our previous blog) and the next will be delivered by 2027; and
- introduce a full cost recovery model for the NIS Regulations: despite the majority of respondents disagreeing with this proposal, citing concerns around burdens on businesses and incentivising regulators to enforce more regularly, the Government still wants to makes changes as (in its view) the current model does not work. It will therefore provide additional guidance to provide clarity on the impacts of the cost recovery methods.
The Government has said it will amend the NIS Regulations to reflect these proposals, subject to finding “a suitable legislative vehicle” to do so. It will also work closely with out-of-scope regulators to ensure regulatory burdens on industry are minimised. The consultation response noted that this includes the FCA and Bank of England and their proposals relating to critical third parties in the finance sector.