The UK government will extend the Network and Information Systems (NIS) regulations to all digital managed service providers (MSPs), the British Department for Digital, Culture, Media and Sport (DCMS) announced on November 30, 2022.
This decision comes from a public consultation earlier this year. The update aims to better protect essential everyday services, including healthcare, water, energy, transport and computing against increasingly sophisticated and frequent cyber-attacks both now and in the future.
Derived from a European Union directive, NIS came into force in the UK in 2018 to improve the cybersecurity of companies providing critical services. Organizations that fail to implement adequate cybersecurity measures can be fined as much as £17m ($20m) for non-compliance.
However, while a second version of the EU directive (NIS2) is currently underway and should come into force in EU member states in 2023, the majority of digital MSPs, such as security monitoring services, managed network services and outsourced business processes, are not currently within the scope of this legislation.
These services “can have privileged access to their customer’s IT networks, [which] makes them an attractive target for cyber-criminals who can exploit MSP software vulnerabilities to compromise a wide range of clients,” noted DCMS.
The department noticed that, in its current form, NIS was ineffective in preventing “high-profile attacks such as Operation CloudHopper, which targeted MSPs and compromised thousands of organizations at the same time.”
The British minister for Media, Data, and Digital Infrastructure, Julia Lopez, said the proposed change “will better protect our essential and digital services and the outsourced IT providers which keep them running.”
Paul Maddinson, the director of national resilience and strategy at the UK’s National Cyber Security Centre (NCSC), welcomed “the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cybersecurity.”
Improve Cyber-Incident Reporting
Other changes include requiring essential and digital services to improve cyber-incident reporting to national regulators such as the Office of Communications (Ofcom), the Office of Gas and Electricity Markets (Ofgem) and the Information Commissioner’s Office (ICO).
“This includes notifying regulators of a wider range of incidents that disrupt service, or which could have a high risk or impact to their service, even if they don’t immediately cause disruption,” read the announcement.
DCMS argued that the update will also “allow regulators to establish a cost recovery system for enforcing the NIS regulations that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.”
These changes to legislation, which “will be made as soon as parliamentary time allows,” are part of the government’s £2.6bn ($3.2bn) National Cyber Strategy and would not be possible if the UK was still a member of the EU, claims DCMS.
A Step in the Right Direction
Some voices from the cybersecurity community praised the decision. Palo Alto’s senior director of public policy for the UK & Ireland, Carla Baker, said in the DCMS press release that she had offered “to engage with the UK Government as it reviews the legislation and develops guidance for industry to enhance cyber resilience and combat the risk that malicious actors pose to the UK’s national security.”
Jordan Schroeder, managing CISO at Barrier Networks, told Infosecurity that while “regulations are not bulletproof,” the decision to extend NIS to digital MSPs could help prevent “incidents when attackers successfully compromised the networks of Kaseya and SolarWinds.”
Oz Alashe, CEO of CybSafe, called it “a legislative step in the right direction.”
“Regulations, however, can only go so far in protecting data from cyber criminals,” he warned. “The public and private sectors need to work together to ensure organizations are treating cyber security as a business priority. Cyber-attacks are not just more frequent; they are also increasingly complex. Therefore, businesses need to begin treating a positive cyber security culture as an active core value. We need to focus on measuring and changing specific security behaviors, not just ticking boxes on a risk register. While this move from the government is positive, there is much left to be done.”
The new measures will give the government the power to amend the NIS regulations in the future – such as bringing more organizations into scope if they become vital for essential services and adding new sectors which may become critical to the UK’s economy.
