In January 2022, the Department for Digital, Culture, Media & Sport (DCMS) announced the launch of two public consultations on proposed reforms for legislation, incentives and regulations to improve the UK’s cyber resilience. The consultations are part of the National Cyber Strategy which we summarised in a previous blog post available here.
Motivations for the consultation
Julia Lopez MP, the Minister for Media, Data and Digital Infrastructure commented that the consultations were imperative to responding appropriately to the increasing frequency and sophistication of cyber attacks, coupled with the increased pace of digitisation in the national economy.
Recent incidents have confirmed the importance of ensuring cyber security is a fundamental part of the UK’s digital transformation journey. Incidents include the SolarWinds supply chain compromise in December 2020, ransomware attack on the Colonial pipeline in May 2021 and the attack on managed service provider Kaseya in July 2021. These attacks caused severe damage to critical services, national infrastructure and the economy, and highlighted the increased need for a sustained supply of diverse and skilled individuals into the cyber workforce to make systems more resilient against cyber threats.
Key changes proposed
The two public consultations are aimed at addressing the above threats and challenges, and have been divided into three distinct pillars. The first consultation which is aimed at addressing pillars one and two (the Consultation), whilst the second consultation covers the third pillar.
The UK defines its most important infrastructure assets, systems, sites, personnel and functions through the lens of critical national infrastructure. To aid the regulatory framework to ensure that cyber risk to critical national infrastructure is managed in the national interest, the 2016 National Cyber Security Strategy committed to implementing an appropriate regulatory framework. That was achieved in part through the implementation of the Network and Information Systems Regulations 2018 (NIS Regulations). Whilst the NIS Regulations have undoubtedly transformed the understanding of cyber risk and consequently the approach to security, the May 2020 Post Implementation Review of the NIS Regulations concluded that though improvements are being made, these will need to be enhanced and accelerated.
The proposals set out in the Consultation concern all organisations within the scope of the NIS Regulations, as well as other private and public entities that provide digital services (or a form of service) that an essential service relies on.
Pillar I – Proposals to bring additional critical providers of digital services into the UK’s cyber security regulatory framework, ensuring that those providers who frequently have privileged access and provide critical support to essential UK services, have adequate cyber security protections in place, and can be regulated effectively and proactively. In summary, the proposals include:
- Expanding the scope of digital services regulated under the NIS Regulations to include “managed services” and for the providers of digital managed services to be subject to the same duties as other digital service providers. This is perhaps one of the most important proposals as currently digital managed services, i.e. security monitoring, managed network services or the outsourcing of business processes, are not within scope of the NIS Regulations. The Consultation notes that digital managed services are an attractive and high value target for malicious threat actors and any compromise could disrupt essential services at scale. Bringing managed services and their providers under NIS Regulations would provide a baseline for cyber security provisions and better protect the UK economy and critical national infrastructure from cyber security threats.
- Establishing a two-tier supervisory regime for all digital service providers in scope of NIS Regulations. This will involve a proactive supervisory regime for the most critical digital services, alongside the existing reactive supervisory regime for the remaining digital services regulated under the NIS Regulations. This will result in an essential differentiation between services which are critical to the UK’s resilience and those that do not carry systemic dependencies. The Government will remain as open, transparent and fair as possible in determining a proposed list of factors which should come under the proactive regime. The role of the Information Commissioner’s Office (ICO) would also be enhanced as organisations will be expected to cooperate and work with the ICO.
Pillar II – Proposals to future-proof the UK’s existing cyber security legislation, primarily the NIS Regulations, so that they can adapt to potential changes in threat and technological developments. In summary, the proposals include:
- Creating new delegated powers to enable the Government to update the NIS Regulations, both in terms of framework but also scope, with appropriate safeguards. This will ensure that the NIS Regulations are continuously kept up to date and remain relevant, enhancing effectiveness. This proposal will also affect the all-round functioning of the NIS Regulations, allowing the Government to act quickly and effectively to changing threats.
- Creating a new power to allow the UK Government to change the scope of the NIS Regulations to bring certain organisations, ones that entities already in scope are critically dependent on, within the remit of the NIS Regulations. Currently the sectors under the NIS Regulations are limited to those that were originally set in 2016, and this proposal will allow an agile response and include new sectors and sub-sectors that are critical to the delivery of the UK’s essential services.
- Expanding and strengthening the existing incident reporting requirements under the NIS Regulations to include incidents that do not actually affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entities in question and the essential services they provide. This new indicative minimum threshold for reportable incidents can help national authorities support the affected operator, alert other operators who may be vulnerable to the same type of attack, or pursue threat actors through existing legislation.
- Extending the existing cost recovery provisions to allow regulators (e.g. Ofcom, Ofgem, and the ICO) to recover the entirety of reasonable implementation costs from the companies that they regulate. This will create a more flexible model that allows them to raise fees and recover costs. This change will release pressure from public funds, give competent authorities more financial flexibility to execute their daily work, and discourage regulated bodies from frustrating the enforcement process without consequences.
Pillar III relates to considerations for the standardisation of the cyber security profession and are being consulted separately here. The second consultation ends on 20 March 2022.
Impact
Those organisations and firms who consider they may be affected by the proposals should follow the Consultation and results to decipher whether changes or steps may need to be taken. This is of particular importance as the proposals seek to expand and include managed services within the scope of NIS Regulations. Organisations may need to adhere to strict cyber security duties and reporting requirements which is crucial given the large fines which may be payable in the case of non-compliance.
Next steps
Interested parties are requested to submit responses no later than 10 April 2022.
If you'd like to discuss the impact of the proposed reforms in more detail, please contact Lucy Pegler or another member of our Data Protection and Cyber Security team.
This article was written by Jenika Pankhania and Lucy Pegler.
Our proposals here are aimed at addressing these risks, whilst allowing these services to continue and succeed. Julia Lopez MP