The number of technology providers subject to UK legislation on network and information security (NIS) is set to expand under plans confirmed by the UK government.

The Department for Digital, Culture, Media and Sport (DCMS) consulted on a range of reforms to the UK’s NIS regulations earlier this year. It has now published its response to the feedback received, confirming, among other things, its intention to bring suppliers of services that major infrastructure operators depend on within the scope of the NIS regime. It will also increase the scope of NIS to include managed service providers.

The UK NIS Regulations, which took effect in 2018 and originally derived from EU law, provide for two separate regimes of cybersecurity regulation – one that applies to ‘operators of essential’ services across critical infrastructure such as in health, energy and transport; and one that applies to ‘digital service providers’ (DSPs) specifically.

In its response paper, the government said it would press ahead with plans to regulate critical sectoral dependencies. Cyber risk expert Stuart Davey of Pinsent Masons said technology providers are among the businesses likely to be impacted by the plans.

According to DCMS, 90% of respondents to its consultation supported the proposal to introduce a new power to designate critical dependencies and regulate those entities that are vital to the provision of essential services. It said its legislative proposals will reflect feedback from respondents that have asked for “clear guidance on how the power will be used and what factors will be significant in assessing the need for the power to be used”.

DCMS also confirmed that stakeholders will be given rights to be consulted when the power is to be used, that regulators will be given capability to monitor organisations designated as critical dependencies, and that the new provisions “will not introduce unnecessary, disproportionate, or inappropriate burdens to organisations”.

“The move to regulate critical dependencies under the UK NIS regime represents a continuation of a trend towards stiffer regulation of third parties in the UK,” said Davey. “For instance, with its Financial Services and Markets Bill, the government is intending to establish a new ‘critical third parties’ (CTPs) regime in UK financial services in a bid to further stiffen operational resilience requirements in the sector. Major cloud providers are expected to be among the service providers to financial institutions to be designated as subject to direct regulation by the UK’s financial regulators under that regime.”

A range of technology providers will also be impacted by the government’s plans to add managed service providers as a new category of DSP for the purposes of the updated NIS regime.

Examples of the type of services likely to be considered ‘managed services’ under the updated framework include IT outsourcing services, service integration and management, application management, security monitoring, and incident response. Software development will not constitute managed services for the purposes of the expanded NIS regime.

DCMS said data centres could be brought within scope of the new NIS rules on managed services once it has completed its ongoing review of their security and resilience.

 

Changes are taking place to strengthen the NIS regime in the UK at the same time as the EU approves its own NIS2 changes

Broader changes to the regulation of DSPs under the NIS regime remain under consideration. The government has consulted on establishing a two-tier system of regulation, where ‘critical’ DSPs would be subject to proactive supervision and remaining DSPs subject to a “reactive regime”. However, DCMS has now said that “determining the appropriate criteria for a tiered regime could be problematic” and that it is “considering whether a more flexible, risk-based assessment may be a better approach”.

It said: “The government proposes to implement this supervisory approach through non-legislative means as far as it is practicable. The information commissioner will be responsible for producing any guidance on how it will regulate digital services using a risk-based approach and will identify and assess those digital service providers which play the most critical role in supporting the resilience of the UK’s essential services.”

In its response paper, DCMS also confirmed that changes to incident reporting requirements under the UK NIS regime will be pursued.

Currently, incident reporting requirements under the NIS regime are limited in scope to certain incidents that affect the continuity of service either DSPs or operators of essential services provide.

DCMS previously said that the limitation in scope means “significant cybersecurity incidents” can arise without triggering the reporting obligations, so it consulted on changing the NIS Regulations to require the reporting of “any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service”.

Those changes will be taken forward, DCMS has now confirmed. Guidance will be issued to specify more precise detail as to circumstances in which reporting will be required and in relation to what information the incident reports should contain, it said.

Other notable proposals to be taken forward include new powers to enable the government to update the NIS regime in future through secondary legislation rather than via an Act of parliament. The government also confirmed its intention to enable more of the cost of regulation under the NIS regime to be footed by the organisations subject to regulation.

DCMS said: “The government’s starting position is that the existing cost recovery system is not sufficient. It relies on central government funding and the reclaiming of costs at a later date. It is the government’s view that in general the cost burden of regulation should fall on the regulated, not the general taxpayer. Therefore we need a cost recovery scheme for NIS that reduces the burden on the taxpayer.”

Rebecca Townsend of Pinsent Masons said: “It is notable that changes are taking place to strengthen the NIS regime in the UK at the same time as the EU approves its own NIS2 changes. This is likely to represent one of the early examples in the data and cyber field of divergence between the UK and the EU.”

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.