Expanded regulation of cybersecurity incidents – new UK government consultation

The government’s Department of Digital, Culture, Media and Sport (“DCMS”) has announced plans to reform the Network and Information Security (NIS) Regulations 2018 (“NIS Regs”) that if implemented, will mean a wider range of cybersecurity incidents come within their remit. In a consultation document published on 19 January 2022[1] (“Consultation”), the DCMS has proposed measures that it says are designed to enhance the cyber resilience of UK critical infrastructure and services. The Consultation closes on 10 April 2022.

So, what is being proposed? Essentially, three pillars of measures are being consulted on, each addressing specific objectives. In this blog we look at the first two given the third pillar relates to the standardisation of the cybersecurity profession to embed consistent competency standards and this is being consulted on separately[2].

Pillar 1 deals with the expansion of the regulation of digital service providers so that “managed service providers” are considered “relevant digital service providers” (“DSPs”) and are therefore brought into the remit of the UK’s cybersecurity regulatory framework as well as the creation of a two-tier system of supervision.

Pillar 2 covers proposals to future-proof the UK’s existing cyber security legislation, primarily the NIS Regs.

Looking at Pillar 1 first, the inclusion of “managed service providers” to the list of digital services regulated under the NIS Regs would mean more back-office organisations are affected and brought in scope. The Consultation states that in responses to DCMS’ call for views in May 2021[3] it was highlighted that “the most critical managed service providers can represent a systemic risk to the UK economy and society due to the scale and concentration of their services in the UK market”. It further notes that there are currently very few mandatory cyber-security specific requirements for managed service providers nor a “minimum security baseline”. The Consultation proposes that the following characteristics being met would establish a relevant “managed service”:

They are supplied to a client by an external supplier
They involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems;
They are categorised as B2B rather B2C services; and
Their provision relies on network and information systems.

The Consultation acknowledges that this expansion has the potential to be far-reaching and could cause significant challenges and associated costs to affected businesses. It therefore suggests a way of narrowing the scope is to ensure those managed services that have the most substantial impact on the UK’s resilience if disrupted are those brought into scope. To this end, it considers adding a risk-based characteristic to the definition of managed service, so that as well as the above criteria, the following would also need to apply to bring a managed service under the NIS Regs:

It has privileged access[4] or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems; or
It performs essential or sensitive functions, such as processing and/or storage of confidential or business-critical data.

Annex A of the Consultation document contains non-exhaustive examples of the type of managed services expected to come in scope. These include workplace services, managed desktop/virtual desktop, WAN and LAN support services, consulting, security, BPO ITO, Business continuity and DR and AI services.

The Pillar 1 measures also propose creating a two-tier supervisory system so that a pro-active supervisory regime applies to the most critical digital service providers and a reactive supervisory regime (that currently exists) applies to remaining digital service providers.

The ICO would continue to provide guidance on cyber-security practices and measures for all DSPs. Those within the scope of the NIS Regs are required to register with the ICO and report any cyber security incidents to them. It is proposed the ICO will take a more proactive role in the supervision of the most critical DSPs including monitoring and investigation of those DSPs who in turn will be expected to demonstrate compliance with the NIS Regs.

In the Consultation, the DCMS is proposing the development of criteria to identify the most critical DSPs potentially including thresholds that would be defined by the ICO with support from DCMS and consulted on with relevant industry stakeholders. The Consultation sets out a list of factors and linked criteria that may be used to determine criticality[5].

Turning to Pillar 2, it is proposed that ministers are given the powers to make changes to the NIS regs through secondary legislation without changing the current remit of the Regulations, so for example, expanding the scope of the legislation would not be done in this way. The government says these proposals are necessary to facilitate more flexibility and agility in responding to rapidly to new technologies and threats to cyber security. The government also anticipates the need to amend the regulations to make improvements and without the availability of its previous rights under S.2 (2) of the European Communities Act 1972, there is no current mechanism to swiftly implement changes and any changes need to be made by introducing a Bill.

Clearly the proposed changes if implemented will significantly impact many organisations that were previously outside the NIS Regs regime with a greater regulatory burden and cost. It will be interesting to see how the proposed measures develop and take shape going forward.

[1] Proposal for legislation to improve the UK’s cyber resilience – GOV.UK (www.gov.uk)

[2] Embedding standards and pathways across the cyber profession by 2025 – GOV.UK (www.gov.uk)

[3] Call for views on cyber security in supply chains and managed service providers – GOV.UK (www.gov.uk)

[4] “Privileged access”, defined in Consultation as “access and permission rights that are elevated from that of a standard user, where such access would otherwise be restricted and where this could permit the modification of the relevant service, network data, or infrastructure in a way that was not authorised”.

[5] See section 4.7 of Consultation document.

SMCR Enforcement Actions

What are ‘reasonable steps’ in the context of the SMCR? Tom Hine explains using two recent cases.

LawTech and Cloud Contracts

What should law firms keep in mind to get the best from their Cloud investment? Richard Kemp takes a look.