Cybersecurity regulations that protect critical national infrastructure and providers of important online services are to be tightened up, the Department for Digital, Culture, Media and Sport (DCMS) announced today.
The Network and Information Systems (NIS) regulations will be strengthened following a public consultation held earlier this year. By tweaking the rules, the government hopes to offer increased protection to the UK’s critical national infrastructure, such as energy providers and the NHS, as well as key digital services like cloud computing.
What are the UK NIS regulations?
The NIS regulations were introduced in 2018 to ensure companies providing critical services could be protected from cyberattacks.
They provide legal measures to boost the overall level of cybersecurity for networks and physical equipment belonging to infrastructure providers, as well as important digital platforms such online marketplaces, search engines and cloud providers. Non-compliance with the rules can result in fines of up to £17m.
These regulations are now being enhanced as part of the government’s £2.6bn National Cyber Strategy, and will be implemented “as soon as parliamentary time allows,” DCMS says.
DCMS minister Julia Lopez said: “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers that keep them running.
“The services we rely on for healthcare, water, energy and computing must not be bought to a standstill by criminals and hostile states.”
How the government is changing NIS regulations
As a result of the changes, managed service providers (MSPs), which run IT networks for many organisations, will be subject to more controls to protect their clients from supply chain attacks. Recent years have seen a number high profile breaches around, such as the SolarWinds attack, stemming from criminals targeting MSPs.
Regulators will be provided with increased powers to ensure that businesses are complying with the rules. A wider range of cyber incidents will be included in the scope of the rules, meaning Ofcom, Ofgem and the ICO will need to be notified of potential problems “even if they don’t immediately cause disruption”, DCMS says.
The government will be able to add new technologies to the list of those that fall under the umbrella of NIS rules as they become indispensable to UK infrastructure.
A recovery system will also be implemented so that the taxpayer does not end up being liable for costs related to investigating companies not complying with regulations. The fining process will be more transparent and will take into account factors like wider regulatory burdens and company size.
The changes were welcomed by Paul Maddinson, director of national resilience and strategy at the National Cyber Security Centre. “These measures will increase the resilience of the country’s essential services and their managed service provides, on which we all rely,” he said. “I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber resilience.”