Outsourced IT providers will be brought into scope of cyber regulations to strengthen UK supply chains.
Essential everyday services, such as water, energy and transport, will be better protected from online attacks following changes to laws which set the UK’s cyber security standards.
In response to a public consultation earlier this year, the government today confirms the Network and Information Systems (NIS) Regulations will be strengthened to protect essential and digital services against increasingly sophisticated and frequent cyber attacks both now and in the future.
The UK NIS Regulations came into force in 2018 to improve the cyber security of companies providing critical services. Organisations which fail to put in place effective cyber security measures can be fined as much as £17 million for non-compliance.
But high profile attacks such as Operation CloudHopper, which targeted managed service providers and compromised thousands of organisations at the same time, show the UK’s cyber laws need to be strengthened to continue to protect vital services and the supply chains they rely on.
MSPs provide IT services such as security monitoring and digital billing and can have privileged access to their customer’s IT networks. This makes them an attractive target for cyber criminals who can exploit MSP software vulnerabilities to compromise a wide range of clients.
The UK is able to change the NIS regulations, which were originally derived from the EU’s NIS directive, because the UK has left the EU and can update these laws to better fit the country’s cyber security needs.
Under the new changes MSPs, which are key to the functioning of essential services that keep the UK economy running, will be brought into scope of the regulations to keep digital supply chains secure.
Cyber minister Julia Lopez said:
The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states.
We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.
The updates to the NIS regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines.
Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
The new measures will give the government the power to amend the NIS regulations in future to ensure it remains effective. This change will allow more organisations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the UK’s economy.
The updated rules will allow regulators to establish a cost recovery system for enforcing the NIS regulations that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.
The Information Commissioner will be able to take a more risk-based approach to regulating digital services under the updated cyber laws and will be allowed to take into account how critical providers are to supporting the resilience of the UK’s essential services.
These changes to legislation are part of the government’s £2.6 billion National Cyber Strategy which is taking a stronger approach to getting at-risk businesses to improve their cyber resilience and making the UK digital economy more secure and prosperous.
Paul Maddinson, NCSC Director of National Resilience and Strategy, said:
I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security.
These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely.
Carla Baker, Senior Director of Public Policy UK and Ireland, Palo Alto Networks, said:
Palo Alto Networks supports the development of an agile policy framework to reduce cybersecurity risks to our economy and society.
We welcome the opportunity to engage with the UK Government as it reviews the legislation and develops guidance for industry to enhance cyber resilience and combat the risk that malicious actors pose to the UK’s national security.