The UK government has published its response to a consultation setting out how it proposes to reform the Network & Information Systems Regulations 2018 (NIS Regulations) in order to address the security and resilience of important digital services in the UK. This move follows the EU’s response to the growing threat of cyber-attacks associated with increasing digitalisation through the recent implementation of the NIS 2 Directive (which we wrote about here).
Background
The NIS Regulations were introduced in the UK in 2018 and had the effect of transposing the EU’s Network and Information Security (NIS) Directive (which we wrote about here) into UK law.
The NIS Regulations currently apply to organisations that provide ‘essential services’ (e.g. healthcare, energy and transportation) and digital service providers (such as online marketplaces and search engines) and impose certain requirements on those organisations to ensure appropriate security measures to manage cybersecurity risks faced by their systems and certain reporting obligations in the case of security incidents.
The proposals for reform are part of the UK’s wider £2.6 billion National Cyber Strategy which aims to increase the overall level of security and resilience across all sectors in the UK, but especially those who are increasingly playing a significant role in the wider economy (e.g. managed service providers). The reasoning behind the need for reform was set out in 2022 Review of Cyber Security Incentives and Regulation, which recognised the increased reliance of the economy and wider society on digital services as a key factor in the increase of ransomware attacks globally. Additionally, the interconnectivity of supply chains is more likely to lead to higher levels of cyber risk, as attackers seek to target vulnerabilities on a larger scale. Therefore, it is vital that organisations integrate cyber resilience into their business models and risk management strategies and this has been deemed to require a specific interventionist approach from Government.
Proposals for reform
The proposals for reform are split into two areas or ‘pillars’.
Pillar I: Proposals to amend provisions relating to digital service providers
1. Scope of regulation of digital service providers: the scope of the NIS Regulations will be expanded to cover those providing ‘managed services’ such as IT outsourcing, security monitoring and private and public network management. The list of example services is non-exhaustive and instead focuses on key characteristics of the services provided, including those which are:
- Business-to-Business;
- related to IT services;
- reliant upon the use of network and information systems; and
- related to the provision of regular and ongoing management and support, active administration and/or monitoring of IT systems, infrastructure, network and/or security.
Software development is not captured by the scope of the NIS Regulations and small/micro businesses and traditional data centres are currently envisaged to be exempt.
2. Supervisory regime for digital service providers: proposals for a two-tier regime (creating ‘proactive’ and ‘reactive’ regimes based on the type of digital service provider) were rejected and instead a non-legislative regime will be implemented, which will take the form of a flexible risk-based assessment. This will be regulated by the Information Commissioner who will also produce guidance on how digital service providers can ensure high levels of cyber resilience.
Pillar II: Proposals to future-proof the UK NIS Regulation
1. Delegated power to update the NIS Regulations in the future within its current framework: the Government will be given certain powers to amend aspects of the NIS Regulations including scope, penalties and designation of small and micro-businesses through secondary legislation.
2. Delegated power to amend the scope of the NIS regulations to add sectors and subsectors; the Government will be given certain powers to amend the scope of the NIS Regulations to include new sectors in order to be able to respond to evolving cyber threats and reduce risks in supply chain security. These powers will come with appropriate safeguards such as the requirement to conduct impact assessments and to ensure collaboration with relevant industries before any changes are made, as well as regular post-implementation reviews.
3. Measure to regulate critical sectoral dependencies in NIS: the scope of the NIS Regulations will be expanded to cover critical suppliers or services, on which existing essential and digital services depend, although the designation process will need to be confirmed.
4. Additional incident reporting duties beyond continuity of service: current duties will be expanded to cover incidents which may not affect the continuity of the impacted services directly, but which pose a significant risk to the security and resilience of the entities and essential services in question. Guidance will be provided by the National Cyber Security Centre and other regulators to clarify reporting thresholds and contents of incident reports.
5. Full cost recovery for NIS functions: the Government will consult with regulators on how to create an improved and fairer costs recovery system which expands the cost recovery powers of regulators but does not place unnecessary burdens on taxpayers.
The Government has confirmed that it will proceed with the proposed reforms to amend the NIS Regulations and it is expected that this will take place in 2024, subject to finding “a suitable legislative vehicle”.
How do proposals for reform compare to the EU’s NIS 2 Directive?
Due to the UK no longer being part of the European Union, the UK government will not be implementing the NIS 2 Directive, which came into force in the EU on 23 January 2023. However, the Government’s proposals to reform the NIS Regulations are likely to contain several similarities to the new European regulation.
For example, both pieces of legislation seek to broaden the scope and applicability of the regulation of cybersecurity. The UK’s proposals for reform extend the scope of regulation to include providers of managed IT services and the Government will be granted powers to add new sectors and sub-sectors in the future, whereas the EU’s NIS 2 Directive covers specific additional sectors such as telecommunications, social media platforms and public administration and introduces a minimum size-cap rule to include medium and large organisations.
Another similarity is the stricter approach to obligations relating to reporting cybersecurity incidents. The UK’s proposals require a wider range of incidents to be reported (those that pose a high risk to, or significantly impact the service, even if they don’t immediately disrupt it) and the NIS 2 Directive widens the scope of ‘significant incidents’ to cover those events which have affected or are capable of causing considerable losses to others, as well as requiring initial notification of incidents to be made within 24 hours of becoming aware of the incident.
However, there are also some key differences between the UK and EU approaches. In relation to enforcement, the UK approach to regulation of digital service providers will be through a flexible risk-based assessment which will be regulated by the Information Commissioner. However, the NIS 2 Directive takes a more robust approach through administrative fines and penalties for non-compliance which have been increased to a maximum of €10 million or 2% of total annual global turnover for entities providing ‘essential services’.
Ultimately, it will take time to properly assess how the updated UK regime will compare to its EU counterpart in practice and this may not be possible to evaluate for some time, as current proposals are expected to take effect during the course of 2024.
Key takeaways for businesses
UK businesses will need to consider whether they fall within the amended NIS Regulations or the EU NIS 2 Directive, or both. Although there are similarities between the two regimes, the differences will result in a certain level of divergence which will require those organisations operating in the EU and UK to carefully assess their cybersecurity compliance obligations. Businesses should take the time to allocate appropriate resources early on to ensure appropriate security measures are in place to protect against cyber threats as well as maintaining resilience in light of a cyberattack in order to avoid incurring the costs and reputational damage that can result from cybersecurity incidents.
If you would like to discuss the impact of the upcoming changes, please get in touch with David Varney or another member of the Data Protection and Cyber Security team.