Changes to the UK’s cybersecurity standards will see outsourced IT providers brought under the scope of regulations to ensure vital services such as energy supplies and transport are protected from digital threats.
The proposed updates to the Network and Information Systems (NIS) Regulations come in response to a public consultation earlier this year. The regulations, in place since 2018, set out how organisations providing critical services must protect themselves from cyber attacks, with non-compliance risking fines of up to £17 million.
Managed service providers (MSPs) that provider outsourced IT services are now set to be included in the regulations, given their attractiveness to malicious actors looking to access IT networks of their clients. High profile attacks, such as Operation CloudHopper, have recently brought to light how vulnerabilities within the IT supply chain can risk thousands of organisations being compromised.
Cyber minister Julia Lopez said:
“The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states.
“We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”
The updates to the NIS regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines.
Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
The new measures will give the government the power to amend the NIS regulations in future to ensure it remains effective. This change will allow more organisations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the UK’s economy.
The updated rules will allow regulators to establish a cost recovery system for enforcing the NIS regulations that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.
Paul Maddinson, NCSC Director of National Resilience and Strategy, said:
“I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security.
“These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely.”
Carla Baker, Senior Director of Public Policy UK and Ireland, Palo Alto Networks, said:
“Palo Alto Networks supports the development of an agile policy framework to reduce cybersecurity risks to our economy and society.
“We welcome the opportunity to engage with the UK Government as it reviews the legislation and develops guidance for industry to enhance cyber resilience and combat the risk that malicious actors pose to the UK’s national security.”