Editorial

MSPs to be classified as critical service providers under strengthened cybersecurity laws

IT providers will be brought into scope of NIS cyber regulations to strengthen UK supply chains, says UK government

Posted 1 December 2022 by Christine Horton


The UK government is to strengthen the Network and Information Systems (NIS) Regulations. This, it said, is to protect essential and digital services against increasingly sophisticated and frequent cyberattacks.

The UK NIS Regulations came into force in 2018 to improve the cybersecurity of companies providing critical services. Organisations which fail to put in place effective cybersecurity measures can be fined as much as £17 million for non-compliance.

However, high profile attacks such as Operation CloudHopper, which targeted managed service providers (MSPs) and compromised thousands of organisations at the same time, show the UK’s cyber laws need to be strengthened to continue to protect vital services and the supply chains they rely on. 
The changes mean that MSPs will be treated as critical service providers – such as those that provide water, energy, transport, healthcare and digital infrastructure – and brought into scope of NIS regulations.

Earlier this year the Department for Digital, Culture, Media and Sport (DCMS) called for views on how to improve the security of digital supply chains and third party IT services. Its research showed only 12 percent of organisations review the cybersecurity risks coming from their immediate suppliers and only one in twenty firms (five percent) address the vulnerabilities in their wider supply chain.

“The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states,” said cyber minister Julia Lopez. “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”

Other changes

The updates to the NIS regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines.

Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.

DCMS also says the changes will allow more organisations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the UK’s economy.

They are part of the government’s £2.6 billion National Cyber Strategy which  is taking a stronger approach to getting at-risk businesses to improve their cyber resilience and making the UK digital economy more secure and prosperous.

To stay in touch with all cyber issues why not register to attend our Cybersecurity for Government conference in early 2023. You can register to attend here.