UK to expand NIS Regulations, bring MSPs, data centres in scope
Data centre operators, electric vehicle chargepoint firms, and education providers are among the sectors that could fall into the scope of expanded NIS regulations, according to the British government, which plans to table secondary legislation to reform the 2018 European rules for critical national infrastructure (CNI) security.
It plans to introduce new “delegated power” that would allow the government to update and amend the NIS Regulations without requiring an Act of Parliament — allowing it to expand the NIS’s scope.
An immediate priority is bringing managed service providers (MSPs), with HMG saying that “there is no minimum security baseline for managed service providers, unlike other key industries in the UK market.”
It is proposing a new “two-tier supervisory regime for digital service providers in scope of NIS” and consulting on new cost recovery measures for the increased regulatory workload, to potentially include a flat rate fee on everyone subject to the expanded NIS Regulations, a paper published by the government on November 30 revealed.
The proposed reforms will also include stricter incident reporting requirements. How this will work remains nebulous at this point. HMG said: “Competent authorities and the government understand that effective incident management and monitoring systems receive thousands, if not hundreds of thousands of alerts every day, and have no wish to burden themselves or operators with a requirement to report all of these incidents. A triage system will need to be put in place to identify only the more serious and threatening incidents.”
UK NIS Regulations reform: More expansive regime coming soon
The revised NIS Regulations for MSPs will be bifurcated, the government said.
“This will involve a proactive (ex-ante) supervisory regime for the most critical digital services and a reactive (ex-post) supervisory regime for the remaining digital services regulated under NIS” the government said.
Supervision will be conducted by the Information Commissioner’s Officer (ICO).
The Department for Digital, Culture, Media & Sport (DCMS) said on November 30: “DCMS is aware that this measure will require the ICO to regulate substantially more firms than it currently does.
“This will increase the costs faced by the regulator as there will be an increase in the cost of overseeing a larger number of entities, responding to their enquiries and dealing with more incidents. Further funding from the government will absorb the initial cost of this new responsibility for the ICO, until a new funding scheme, created through the cost recovery measures…” The latter approach has yet to be clarified.
Follow The Stack on LinkedIn
One option is for the government to “recover costs incurred from issuing enforcement notices, penalty notices (to name a few) through issuing invoices to regulated entities after a regulatory action has taken place”.
Another option under consultation is “a flat rate fee for all regulated entities, with entity specific costs (i.e. audits, investigations etc.) charged on an historic, as occurred, basis” a DCMS proposal revealed.
An earlier consultation had seen respondents bewail alack of expertise and lack of investment that could give their organisations greater insight into supply chain risk — including into their MSPs’ security.
HMG earlier noted pointedly that “is the responsibility of senior management and boards to prioritise and drive investment in this area” adding that it will also “seek to harness influential market agents to drive supply chain cyber security risk management up the agenda, ensuring they have access to appropriate guidance and information about the costs and impact of cyber incidents to strengthen the internal case for investment.”
“The updates to the NIS regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines” DCMS said. The secondary regulation that gives the government power to expand the NIS could be used to cover “electric vehicles, waste water, data centres, organisations providing aggregation services in the energy sector, energy management and demand response services (e.g. electric chargepoint operators), heat pumps, batteries, manufacturing (particularly the manufacturing of electronic hardware and software, and chemicals, and any products that could be considered essential, such as pharmaceuticals and medical devices used within healthcare), construction, and education” it added.
MSP customers need to demand more of their providers when it comes to security, a joint advisory from the cybersecurity agencies of Australia, Canada, New Zealand, the UK and the US urged in May.
They urged MSP customers to contractually mandate the use of MFA, as well as to ensure that contracts with MSPs include backup services that meet customer resilience and disaster recovery requirements.