New cyber obligations for tech suppliers and data centres as UK ramps up cyber security scrutiny

The Cyber Security and Resilience Bill, unveiled by Science and Technology Secretary Liz Kendall this week, will give regulators the power to hit companies with stronger, turnover-based penalties for serious cyber security breaches, with harmful incidents now required to be reported within 24 hours.

For the first time, this will bring managed service providers and data centres within the scope of the UK’s Network and Information Systems Regulations 2018 (NIS).

The new rules mean medium and large companies providing IT and cybersecurity services to private and public sector bodies – such as the NHS – now face additional cyber regulation as the UK looks to step up protection against the increasing threat of cyber attack. They will be regulated by the Information Commissioner’s Office (ICO) as ‘registered managed service providers’ (RMSPs). 

Stuart Davey, a cyber readiness expert with Pinsent Masons, said the new legislation would mean service providers would need to be ready for much greater scrutiny of how they would manage a cyber attack.

“Managed service and technology providers will need to consider carefully the scope of their services to see if they fall under the remit of the bill, and what that might mean for them in terms of cyber preparedness. Much will depend on the nature of the services offered to their customers, including whether they provide ongoing management of IT services,” he said.

“Large and medium-sized MSPs will need to put in place appropriate measures to manage risks to the services they provide.”

In addition, data centres will be regulated as ‘operators of essential services’ (OESs), regulated by DSIT and Ofgem as part of the digital infrastructure sector.

“This addition was trailed in a briefing paper earlier this year, but it was unclear whether the government would ultimately opt to regulate data centres in this way,” explained Davey.

“In choosing to do so, this brings the position in line with the EU, which designates data centres a critical sector under NIS2, and closely follows their designation within the UK as ‘critical national infrastructure’. This demonstrates the government’s position on the importance of data centre services to the UK economy.” 

These companies will need to show they have robust plans in place to deal with cyber attacks, along with reporting processes to flag significant or potentially significant incidents to both government and customers.

Regulators and the National Cyber Security Centre (NCSC) will need to be initially notified of incidents within 24 hours, and full reporting within 72 hours. The timescales have changed, but so too have the triggers for notification, with near-miss incidents or those “capable of having… adverse effect” also included within the reporting requirements.  Customers who are likely to be impacted by an attack on managed services will also now need to be informed promptly by the security providers.

David McIlwaine, a cyber expert with Pinsent Masons, said: “Entities caught by the new bill will need to ensure they have a well-rehearsed incident response plan in place, as providing a full report within 72 hours will require immediate action and investigation.

“This will also likely drive the need to have crisis communications with press releases available quickly for deployment and a strategy for notifying affected customers and data subjects. We know from recent decisions of the ICO, including relating to Capita and Advanced Computer Software, that there is increased scrutiny of technology suppliers and service processors.” 

Other clarifications and changes to the digital economy will be introduced through additional proposals to allow regulators to designate “critical suppliers” directly as OESs. This will impact upon those technology providers providing services to existing operators who rely upon their networks and information systems to carry out supply.

In addition, for technology providers offering cloud computing services, additional clarifications are proposed in the bill as to what is meant by “scalable and elastic” services.

“Ascertaining whether cloud services were in scope of NIS has not been straightforward, given the definitions in the original regulations,” said Davey.

“This has led to uncertainty for tech suppliers, and for the ICO, as to what services are within scope. While careful consideration needs to be given to the wording, this clarificatory wording should be welcomed.”

The bill comes in the wake of warnings from the NCSC in October that companies needed to step up their preparations after a rise in significant attacks. 

Car manufacturer Jaguar Land Rover is still recovering from a cyber attack which is estimated to have cost the company almost £2 billion.

Information Commissioner John Edwards welcomed the introduction of the bill, adding: “This is an important piece of legislation that will strengthen the country's cyber resilience and ultimately better protect people's data."

The head of the NCSC, Dr Richard Horne added: “The real-world impacts of cyber attacks have never been more evident than in recent months, and at the NCSC we continue to work round the clock to empower organisations in the face of rising threats”.

“As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services. Cyber security is a shared responsibility and a foundation for prosperity, and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires.”

The proposals have also been welcomed by the UK’s technology trade association, TechUK: