UK proposes NIS regulations to regulate MSPs, bring about incident reporting measures
The U.K. government has set out proposals that concern all organizations within the scope of the Network and Information Systems (NIS) regulations, as well as other private and public entities that provide digital services (or a form of service) that an essential service relies on. These measures seek to address through a comprehensive set of interventions that will act as a response to the gaps and threats, particularly within the NIS regulations and will mature into a longer-term vision for the protection of the U.K.’s essential services, critical national infrastructure, and the increase of wider cyber resilience across the economy.
Responding to a public consultation earlier this year, the U.K. government confirmed on Wednesday that the NIS regulations will be strengthened to protect essential and digital services against increasingly sophisticated and frequent cyber attacks both now and in the future. The legislation intends to establish a common level of security for network and information systems, which play a vital role in the economy and wider society. It also aims to address the threats posed to them from a range of areas, most notably cyber-attacks and applies to two groups of organizations – operators of essential services (OES) and relevant digital service providers (RDSPs).
The U.K. can change the NIS regulations, which were originally derived from the EU’s NIS directive because the U.K. has left the European Union (EU) and can update these laws to better fit the country’s cybersecurity needs. Earlier this week, the EU Council adopted the NIS2 legislation to build a high common level of cybersecurity across the Union, improving the resilience and incident response capacities of both the public and private sectors and the EU as a whole.
“The services we rely on for healthcare, water, energy, and computing must not be brought to a standstill by criminals and hostile states,” Julia Lopez, U.K.’s cyber minister, said in a media statement. “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”
Loped added that the government is “also taking this opportunity to upgrade our cyber security legislation so that it can more easily manage future risks. Giving us the ability to make amendments to our cyber security regulations, improving incident reporting, and potentially bringing new sectors into scope.”
Paul Maddinson, director of national resilience and strategy at the National Cyber Security Centre (NCSC), said that he welcomes “the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security. These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely,” he added.
In March, U.S. President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), marking a critical milestone in improving the nation’s cybersecurity by, among other things, requiring the lead cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and assist victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
The updates to the NIS regulations in the U.K. will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines.
Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem, and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact on their service, even if they don’t immediately cause disruption.
The new measures will give the government the power to amend the NIS regulations in the future to ensure it remains effective. The change will allow more organizations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the U.K.’s economy.
The updated rules will allow regulators to establish a cost recovery system for enforcing the NIS regulations that are more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.
The Information Commissioner will be able to take a more risk-based approach to regulate digital services under the updated cyber laws and will be allowed to take into account how critical providers are to supporting the resilience of the U.K.’s essential services.
The U.K. NIS regulations came into force in 2018 to improve the cyber security of companies providing critical services. These changes to legislation are part of the government’s £2.6 billion National Cyber Strategy which is taking a stronger approach to getting at-risk businesses to improve their cyber resilience and making the U.K. digital economy more secure and prosperous. Organizations that fail to put in place effective cybersecurity measures can be fined as much as £17 million for non-compliance.
The proposed measures include expanding the scope of ‘digital services’ to include ‘managed services,’ while applying a two-tier supervisory regime for all digital service providers: a new proactive supervision tier for the most critical providers, alongside the existing reactive supervision tier for everyone else. It also sets out to create new delegated powers to enable the government to update the regulations, both in terms of the framework but also scope, with appropriate safeguards; and create a new power to bring certain organizations, ones that entities already in scope are critically dependent on, within the remit of the NIS regulations.
Due to the privileged access that MSPs have to their customer’s networks, the new rules hold that this access makes them an attractive target for cybercriminals who can exploit MSP software vulnerabilities to compromise a wide range of clients.
The new rules also include strengthening existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents; and extending the existing cost recovery provisions to allow regulators like Ofcom, Ofgem, and the ICO, to recover the entirety of reasonable implementation costs from the companies that they regulate.
The measures outlined in the current consultation are divided into three ‘pillars’, each aiming to address a specific objective. The first pillar proposes to bring additional critical providers of digital services into the U.K.’s cybersecurity regulatory framework. The move will ensure that those providers who frequently have privileged access and provide critical support to essential U.K. services, have adequate cybersecurity protections in place, and can be regulated effectively and proactively.
The second pillar is set to future-proof the U.K.’s existing cybersecurity legislation, primarily the NIS regulations, including the Commission Implementing (EU) Regulation 2018/151 which provides additional details on the security and notification requirements placed on digital service providers in the scope of the NIS regulations. The action will enable adaptation to potential changes in threats and technological developments.
The third pillar covers considerations for the standardization of the cybersecurity profession to embed consistent competency standards across the cyber profession.
The proposed NIS regulations identified that incident reporting is a regulatory function – not an incident management function. The purpose of the incident report is to allow the competent authority to understand the nature and impact of the incident, so that it can assess whether any further regulatory action is necessary, not to enable it to carry out incident response activities. Competent authorities would then share this information with the NCSC as required under the regulations.
It also added that it is probable that the impact of incidents affecting the security of network and information systems of organizations in scope would not be limited to the NIS regulations. Incidents can also impact other regulatory regimes, such as data protection or the payments services directive. Where such instances arise, regulators are encouraged to work together to minimize the reporting burden on the organizations, as is the case under the existing regulations.
The U.K. government proposes that the full costs incurred by competent authorities for regulating NIS are transferred from the taxpayer onto the organizations in scope by creating a more flexible model that allows them to raise fees and recover costs for relevant NIS activities.
Commenting on the U.K. government’s proposals, Yaron Kassner, CTO and cofounder at Silverfort, said in an emailed statement that the government’s decision to update these regulations reflects how MSPs present a ripe target for attackers.
“As central points of cybersecurity management for lots of organizations – they provide a jumping-off point for lateral movement inside a large number of environments,” Kassner said. As we saw with Operation Cloudhopper – attackers were able to access MSP customers using seemingly legitimate credentials, before moving through the network to exfiltrate data. While controls such as MFA on internal resources could technically help address attacks like this, the regulation provides a necessary impetus to ensure MSPs act according to best practice,” he added.
In October, the NCSC published new cybersecurity guidance to help organizations assess and gain confidence in the cybersecurity of their supply chains. The advisory comes in response to growing trends in supply chain attacks and calls upon organizations to work with suppliers to identify weaknesses and boost resilience.
Related
