On November 30, 2022, the UK government confirmed that the Network and Information Systems (“NIS”) Regulations 2018 (“NIS Regulations”) will be strengthened to protect essential and digital services against cyber attacks. The changes bring providers of outsourced IT and managed service providers (“MSPs”) into scope of the NIS Regulations. The announcement comes in response to a public consultation held in January this year.
The NIS Regulations came into force in 2018 to improve the cybersecurity of companies providing critical services, such as energy, healthcare, transport and water. In January 2022, the UK government launched a public consultation on proposals to amend the NIS Regulations in order to improve the UK’s cyber resilience. The proposals included seven policy measures to address the increasingly sophisticated and frequent cybersecurity threats facing UK companies. The seven proposals are split across the two pillars as follows:
Pillar I: Proposals to amend provisions relating to digital service providers
- Expanding the regulation of digital service providers; and
- The supervisory regime for digital service providers.
Pillar II: Proposals to future-proof the NIS Regulations
- Delegated power to update the NIS Regulations in the future within its current framework;
- Delegated power to amend the scope of the NIS regulations to add sectors and subsectors;
- Measure to regulate critical sectoral dependencies in NIS;
- Additional incident reporting duties beyond continuity of service; and
- Full cost recovery for NIS functions.
The changes bring providers of outsourced IT and MSPs that are key to the functioning of essential services into scope of the NIS Regulations. This change will extend the application of the NIS Regulations to important digital services, such as, providers of cloud computing and online search engines.
The changes also introduce new requirements for essential and digital service providers to improve their cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of disruptive incidents or high risk incidents, even if they do not cause disruption.
In addition, the new rules will allow regulators to establish a cost recovery system for enforcing the NIS Regulations that is more transparent and takes into consideration other factors, such as the wider regulatory burdens they face. This will allow for the ICO to take a more risk-based approach to regulating digital services.
The changes will also give the UK government the power to further amend the NIS Regulations in the future. This includes the possibility of bringing more organizations within scope of the NIS Regulations if they become vital for essential services and adding new sectors which may become critical to the UK’s economy.
The government will now proceed with these proposals and amend the NIS Regulations accordingly.