UK strengthens NIS Regulations to protect essential and digital services from cyberattacks

Under the new changes, managed service providers will be brought into scope of the NIS Regulations to keep the UK digital supply chains secure.

UK Parliament and Big Ben with data points

The UK government has announced the strengthening of the Network and Information Systems (NIS) Regulations to better protect the UK’s essential and digital services against cyberattacks.

The update means that IT service providers will be brought into scope of cybersecurity regulations to strengthen UK supply chains with changes designed to boost security standards and increase reporting of serious cybersecurity incidents to reduce risk of attacks causing disruption.

The decision comes following a public consultation from earlier this year, which called for inputs on proposed amendments to the NIS Regulations. The regulations originally came into force in 2018 and follow the EU Council’s recent adoption of the NIS2 directive to harmonise cybersecurity across member states.

UK’s cybersecurity laws must be strengthened to protect vital services

High profile cyberattacks such as Operation CloudHopper, which targeted managed service providers (MSPs) and compromised thousands of organisations at the same time, show that the UK’s cybersecurity laws need to be strengthened to continue to protect vital services and the supply chains they rely on, the UK government said in a statement.

“MSPs provide IT services such as security monitoring and digital billing and can have privileged access to their customer’s IT networks. This makes them an attractive target for cyber criminals who can exploit MSP software vulnerabilities to compromise a wide range of clients,” it stated. Under new changes MSPs will be brought into scope of the regulations to keep digital supply chains secure.

The updates to the NIS Regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines, the government said.

Further changes will require essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, including notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.

UK government gains new powers to amend NIS Regulations

The UK government will also gain new powers to amend the NIS Regulations in future to ensure it remains effective, allowing more organisations to be brought into scope if they become vital for essential services and add new sectors, which may become critical to the UK’s economy.

Furthermore, the UK Information Commissioner’s office (ICO) will take a more risk-based approach to regulating digital services under the updated laws and will be allowed to take into account how critical providers are to supporting the resilience of the UK’s essential services.

“The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states,” UK’s Cyber Minister Julia Lopez  said in a statement. “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”

“These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely,” added Paul Maddinson, NCSC director of national resilience and strategy, welcoming the changes to the regulation.


Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)