The UK government is to strengthen the Network and Information Systems (NIS) Regulations. This, it said, is to protect essential and digital services against increasingly sophisticated and frequent cyberattacks.
The UK NIS Regulations came into force in 2018 to improve the cybersecurity of companies providing critical services. Organisations which fail to put in place effective cybersecurity measures can be fined as much as £17 million for non-compliance.
However, high profile attacks such as Operation CloudHopper, which targeted managed service providers (MSPs) and compromised thousands of organisations at the same time, show the UK’s cyber laws need to be strengthened to continue to protect vital services and the supply chains they rely on.
The changes mean that MSPs will be treated as critical service providers – such as those that provide water, energy, transport, healthcare and digital infrastructure – and brought into scope of NIS regulations.
Earlier this year the Department for Digital, Culture, Media and Sport (DCMS) called for views on how to improve the security of digital supply chains and third party IT services. Its research showed only 12 percent of organisations review the cybersecurity risks coming from their immediate suppliers and only one in twenty firms (five percent) address the vulnerabilities in their wider supply chain.
“The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states,” said cyber minister Julia Lopez. “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”
You might also like
Other changes
The updates to the NIS regulations will be made as soon as parliamentary time allows and will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and online search engines.
Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
DCMS also says the changes will allow more organisations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the UK’s economy.
They are part of the government’s £2.6 billion National Cyber Strategy which is taking a stronger approach to getting at-risk businesses to improve their cyber resilience and making the UK digital economy more secure and prosperous.
To stay in touch with all cyber issues why not register to attend our Cybersecurity for Government conference in early 2023. You can register to attend here.