Insights Government publishes consultation on proposal for legislation to improve the UK’s cyber resilience

The Government is consulting on proposals for new laws to improve the cyber resilience of organisations that are important to the UK economy.

As part of the £2.6 billion National Cyber Strategy 2022, the Government is working to improve the cyber resilience of businesses and organisations across the UK economy. Recent high-profile cyberattacks, such as the December 2020 SolarWinds supply chain compromise, the May 2021 ransomware attack on the US Colonial Pipeline, and the July 2021 attack on the managed service provider Kaseya, demonstrate how malicious actors can compromise a country’s national security and disrupt activities in the wider economy and society.

The Government is therefore consulting on proposals for legislative changes which would drive up levels of cyber resilience, particularly in organisations which play an important role in the UK economy, such as managed IT service providers.

Essentially, the Government wants to update the Network and Information Systems Regulations 2018 and widen the list of companies in scope to include Managed Service Providers (MSPs) which provide specialised online and digital services. MSPs include security services, workplace services and IT outsourcing. The Government recognises that these firms are crucial to boosting the growth of the UK’s digital sector and have privileged access to their clients’ networks and systems.

The NIS Regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their network. While the NIS Regulations apply to some digital services such as online marketplaces, online search engines and cloud computing, there has been an increase in the use and dependence on digital services for providing corporate needs, such as information storage, data processing and running software.

The Government is proposing amending the NIS Regulations to:

  • expand their scope to include managed services provided by companies that manage IT services on behalf of other organisations;
  • require large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cyber security attacks they suffer, not just those which impact their services;
  • give the Government the ability to future-proof the NIS Regulations by updating them and if necessary, bring into scope more organisations in the future which provide critical support to essential services;
  • transfer all relevant costs incurred by regulators for enforcing the NIS Regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the taxpayers’ burden; and
  • update the regulatory regime so that the most critical digital service providers in the economy have to demonstrate proactively that they are following NIS Regulations to the ICO and take a more light-touch approach with the remaining digital providers.

The consultation closes on 10 April 2022. Alongside the consultation, the Government has also published further analysis on the need to improve UK cyber resilience in the 2022 Review of Cyber Security Incentives and Regulation. To access the consultation and the 2022 Review, click here.