In January 2022, the Government launched a public consultation on proposals for legislation to improve the UK’s cyber resilience. The proposals included seven policy measures to address the evolving cyber security threats the UK faces via amendments to the Network and Information Systems (NIS) Regulations 2018.

There were 304 survey responses received. The Government says that the overall response to these proposals was positive, with six of the seven proposed measures receiving greater positive than negative support for their implementation. The one exception was the proposed measure to expand full cost-recovery provisions to allow competent authorities to recover the full cost of regulation for NIS functions, which received more negative responses than positive.

The Government is therefore proceeding with its proposals to strengthen the NIS Regulations.

The NIS Regulations will be amended to bring Managed Service Providers (MSPs), which are outsourced third-party providers, within the scope of the legislation. As the Government explains, MSPs that provide services such as security monitoring and digital billing often have privileged access to their customer’s IT networks, making them an attractive target for cyber criminals. MSPs are key to the functioning of essential services and bringing then into the scope of the Regulations will keep digital supply chains secure, the Government says.

The updates to the NIS Regulations will be made as soon as parliamentary time allows and will apply to critical service providers, such as energy companies and the NHS, as well as important digital services such as providers of cloud computing and online search engines.

Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they do not immediately cause disruption.

The new measures will also give the Government the power to amend the NIS Regulations in future to ensure it remains effective. This change will allow more organisations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the UK’s economy.

As for expanding the cost recovery provisions, despite only a 46% approval rate from respondents to the consultation, the measure received a significant amount of constructive feedback, which the Government says it is carefully considering. Concerns primarily related to the burdens that the new proposal would bring, in addition to the danger of creating perverse incentives for regulators to enforce more regularly. The Government has, where possible, provided reassurance and clarifications on these issues in its response and says that, moving forward, additional guidance will be developed to clarify the impacts of the cost recovery mechanisms. Accordingly, the Government says that the updated rules will allow regulators to establish a cost recovery system that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.

Under the amended Regulations, the Information Commissioner will be able to take a more risk-based approach to regulating digital services under the updated cyber laws and will be allowed to take into account how critical the providers in question are to supporting the resilience of the UK’s essential services.

These changes to legislation are part of the Government’s £2.6 billion National Cyber Strategy. To read the Government’s press release in full and for links to the consultation and the Government’s full response, click here.