In November, the Department for Digital, Culture, Media & Sport announced major new reforms to the UK’s Network and Information System (NIS) Regulations. These new measures, according to the DCMS, are designed to ‘boost security standards and increase reporting of serious cyber incidents to reduce risk of attacks causing disruption’ by patching a serious gap in the country’s corporate cyber-defences: namely, the lack of attention paid to the cybersecurity arrangements of managed service providers.
Current NIS regulations
Originally brought in to comply with EU laws in 2018, the NIS Regulations focus on cyber, as well as physical and environmental, threats to the network and information systems of operators of essential services and digital service providers. The regulations provide for a tiered approach with operators of essential services, such as critical infrastructure operators in important sectors including transport, health, energy and digital infrastructure. These operators are required to follow a stricter regime compared with digital service providers (DSPs), namely providers of online marketplaces, online search engines, and cloud computing services.
Generally speaking, the current regulations require operators to ‘identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems’. These measures must ensure a level of security appropriate to the risk posed, prevent and minimise the impact of incidents affecting digital services, and, above all, take into account the security of systems and facilities, incident handling, business continuity management, monitoring auditing and testing, as well as compliance with international standards.
Operators must also report to their regulator any incidents that significantly impact the continuity of the services they provide. In the case of DSPs, the relevant regulator is the Information Commissioner’s Office (ICO). Any DSP falling under the ambit of the NIS Regulations has to register with the ICO. The ICO has published guidance to help businesses understand if they are DSPs and, if so, what their obligations are.
Several considerations determine if the regulations apply. The digital service provided must be, for example, provided externally, and it does not matter whether or not it is provided by a single organisation or in partnership with another. Internal digital services, meanwhile, are exempt, as are small and micro businesses with turnover or balance sheets below €10m. So are online search engines embedded in company websites, as are online retailers selling directly to consumers on their own account. Online marketplaces that fall outside this definition, as well as search engines and cloud services, however, are covered. In the most serious cases, failing to implement effective cybersecurity measures can result in fines of up to £17m.
DSPs to include managed service providers
Following a consultation held in 2022, the UK government decided to expand the definition of ‘digital service providers’ beyond the current list of providers of online marketplaces, online search engines, and cloud computing services to include providers of ‘managed services’.
Managed services will cover a broad span of IT-related services. These include outsourced networks, infrastructure, hosting, service integration and management, application management and related services such as remote security monitoring and management, incident response, remote access, digital ticketing and billing, as well as a wide range of other services on which the UK’s digital supply chain relies.
Other planned changes to the NIS Regulations include improving cyber incident reporting to regulators, establishing a cost recovery system for enforcing the NIS regulations and giving the government new powers to amend the NIS regulations in future to ensure they remain effective. The reforms also envision the Information Commissioner taking a more risk-based approach to regulating digital services.
Timetable for compliance
According to the DCMS, the government plans to introduce the changes as soon as parliamentary time allows. At the same time, the EU is also strengthening its own network and information security regime through the recently enacted Network and Information Security Directive (NIS2) which EU member states must transpose into national law no later than the 18th October 2024. This means that DSPs operating in the UK and the EU will need to manage two similar (but not identical) regulatory regimes.
Lastly, because NIS2 has been brought into effect as an EU directive (and not a directly effective regulation), there is the distinct possibility that the EU’s desire for greater harmonisation is only partially successful, as member states may implement NIS2 into their own laws according to their own national requirements.