Since 2018, the UK has been operating under the Network and Information Systems (NIS) Regulations 2018. However, with the EU replacing the original NIS Directive with NIS2, it's the UK's turn to enhance the cyber resilience of its critical infrastructure.
A significant step aimed at protecting vital public services like the NHS, transport, energy, and water supplies, the new Cyber Security and Resilience Bill is currently undergoing its Second Reading in the House of Commons. Read on to learn what to expect.
Key measures of the Cyber Security & Resilience Bill
1. Expanding regulation to Managed Service Providers (MSPs)
The Bill directly addresses the escalating threat of cyber-attacks against supply-chain partners by bringing Managed Service Providers (MSPs) into scope of regulation:
- Why? MSPs offer core IT services and enjoy extraordinary access to their clients’ systems, networks, and data. This access inherently introduces a critical vulnerability that attackers have been increasingly exploiting.
- How? MSPs providing core IT services will now be subject to the same duties as existing Relevant Digital Service Providers (RDSPs) under the 2018 Regulations.
- Who? Gaining new powers to regulate MSPs, including information gathering, investigation, and enforcement, the Information Commissioner’s Office (ICO) will act as the enforcement body.
2. Shoring up supply-chain security with critical suppliers
Bringing MSPs into scope is only one way the Bill attempts to strengthen supply-chain resilience. The Bill also introduces another major mechanism to regulate key third-party partners:
- Stronger duties on operators. The Bill will enable the government to establish stronger, more targeted supply-chain duties for both Operators of Essential Services (OES) and RDSPs.
- Designation of critical suppliers. Regulators will gain the authority to identify and designate specific, high-impact suppliers as Designated Critical Suppliers (DCS). These suppliers will face obligations comparable to those placed on an OES or RDSP.
But which suppliers? Based on the policy statement, a supplier will be designated as critical if it meets all the following criteria:
- Service provision. It provides goods or services (including digital services) to an OES or an RDSP.
- High-impact risk. A disruption or failure in its service or an incident affecting its systems could cause a significant disruptive effect on the essential or digital service provided by its client.
- Technology resilience. The supplier's goods or services rely on networks and information systems (e.g., IT infrastructure, operational technology, etc.) that could be targeted or disrupted.
- Regulatory gap. It’s not already subject to similar cyber-resilience regulations elsewhere (e.g., under the Telecommunications (Security) Act 2021 or the 2018 Regulations).
3. Enhanced regulatory and enforcement powers
The Secretary of State will receive expanded powers to:
- Update security requirements. Issue a code of practice and update technical security requirements, such as the NCSC Cyber Assessment Framework (CAF), to provide specific compliance guidance.
- Future-proofing the framework. Update the regulatory framework without requiring a new Act of Parliament. This power can be used to bring new sectors/sub-sectors into scope or change the responsibilities of NIS regulators as the cyber environment evolves.
Expanded ICO powers include:
The ICO, the chief regulator for RDSPs, will receive additional tools, including:
- Criticality determination. Power to gather information to help determine the criticality of regulated digital services and refine its risk-based approach.
- Reporting and information sharing, including:
- An expanded duty for digital service firms to share information with the ICO upon registration.
- Expanded criteria for the ICO to use its power to serve information notices on digital service firms.
- Appropriate information gateways for entities outside the scope of the NIS Regulations to share relevant information with the ICO.
4. Tighter incident reporting requirements
The current reporting requirements will be significantly enhanced to promote quicker response times and greater transparency:
- Expanded reportable incidents. The list of reportable incidents will be expanded to capture an incident that could:
- Have a significant impact on the provision of the essential or digital service.
- Significantly affect the confidentiality, availability, and integrity of a system,
- Two-stage reporting structure. The Bill introduces a much stricter, two-stage reporting process for regulated entities:
- Initial notification. The entity must notify both their sectoral regulator and the NCSC of a significant incident no later than 24 hours after becoming aware of it.
- Full report. A comprehensive incident report must follow within 72 hours.
- Increased transparency. Firms providing digital services and data centers will also be required to alert customers who may be affected by a significant incident, promoting openness and accountability.
Conclusion: Getting ready to comply
Finally, the second reading of the Cyber Security and Resilience Bill in the House of Commons only confirms what we have long known to be true: change is coming to the UK’s critical infrastructure sector.
For a preview of what that change might look like, UK critical infrastructure organizations only need to look to the continent, to see the roll out of the NIS2 Directive. What are the NIS2 regulations all about? Read our Guide to Understanding the NIS2 Directive for Cybersecurity to find out.
.svg)
.svg)
.svg)