Incident reporting changes planned in UK cyber law reform

Out-Law News | 25 Jan 2022 | 4:13 pm | 5 min. read

Plans to expand the type of cybersecurity incidents that must be reported to UK authorities under the Network and Information Security (NIS) Regulations have been outlined by the UK government.

The plans form part of a wider package of proposed reforms that, if implemented, would subject many more businesses – including managed service providers, and other suppliers of services major infrastructure operators depend on – to the NIS regime in the UK for the first time.

The NIS Regulations, which took effect in 2018 and originally derived from EU law, provide for two separate regimes of cybersecurity regulation – one that applies to operators of ‘essential’ services across critical infrastructure such as in health, energy and transport; and one that applies to ‘digital service providers’ (DSPs) specifically. Perhaps the most notable aspects of each regime are the requirements for cybersecurity measures to be put in place and in relation to incident reporting.

Currently, incident reporting requirements under the NIS framework – including those recently updated for DSPs – are limited in scope to certain incidents that affect the continuity of service either DSPs or operators of essential services provide. The Department of Digital, Culture, Media and Sport (DCMS) said this means that “significant cybersecurity incidents” can arise without triggering the reporting obligations

Under the DCMS plans, the NIS Regulations would be changed to require the reporting of “any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service”. DCMS said regulators would “work and agree the specific thresholds [for reporting] with operators of essential services and relevant digital service providers”.

DCMS’ consultation, which is open to feedback until 10 April 2022, also contains significant proposals to expand the scope of the NIS regime in two distinct ways.

First, the government is seeking new powers to designate entities as ‘critical dependencies’ to require those entities to adhere to the same requirements that operators of essential services face under the NIS framework. The government said its plans reflect the extent to which many operators of essential services rely on third party service providers, such as providers of outsourced IT services, and the fact those providers are often themselves not subject to the same stringent cybersecurity requirements.

“At present, the NIS Regulations only apply to organisations directly providing an ‘essential service’, such as those which are distributing water or generating electricity,” DCMS said. “Even though an essential service might wholly rely on another supporting service, it is not currently possible to ensure that this ‘dependency’ is adequately secure from a cyber security perspective and there is no statutory obligation to protect these services against cyber attacks.”

“These ‘essential services’ are too important to fail and the current approach of relying on commercial or contractual relationships between the third party suppliers or services and the overarching essential service provider to ensure supply chain security is not enough. More robust requirements to ensure minimum cyber security standards are required,” it said.

DCMS has proposed to give sector regulators the power to identify critical dependencies for their sector by reference to “minimum criteria” set in legislation. A process of consultation with businesses considered to meet the criteria is envisaged, and ultimately it would be for the government to decide whether to exercise their powers of designation. The government’s powers would extend to being able to designate organisations identified as dependencies for multiple sectors, according to the plans.

The government’s proposals for reform also include specific plans to bring ‘managed service’ providers within the scope of the NIS Regulations. Specifically, it intends to add managed services to the list of digital services the regulations apply to. Currently, the requirements DSPs face apply to search engines, online marketplaces and cloud computing providers only.

Digital providers of back-office functions such as payroll and accounting services, as well as businesses engaged in online network support and security monitoring for other organisations, are examples of the managed service providers that could find themselves subject to the UK’s NIS regime in future, according to DCMS.

The department has outlined criteria for defining ‘managed services’ for the purpose of the regulations, but has indicated that it is likely to add “risk-based characteristics to the definition” so as to limit the application of the rules to “those which would have the most substantial impact on the UK’s resilience should there be a disruption to their service”.

DCMS said it is seeking to apply the NIS regime to managed service providers after identifying their “central role in supporting the UK economy”, how “critical” they are “to the functioning, reliability, and availability of essential services in the UK”, and the fact they are increasingly being seen by cyber criminals as a route through which to access client systems and data.

“These proposals show that the UK is prepared to take a different approach to the EU’s proposal for a second NIS Directive,” said cyber risk expert Rosie Nance of Pinsent Masons. “While the EU and UK legislative proposals both look to expand the scope of the entities they cover, the UK has gone further in its proposals bringing key suppliers of operators of essential services into scope." 

The plans to regulate managed service providers and critical dependencies under the NIS framework reflect findings from an annual review of incidents advised on by the cyber team at Pinsent Masons (20-page / 4.89MB PDF), which identified a marked increase in the number of cyber incidents in which an intrusion into corporate systems had originated with a cybersecurity breach at a supplier, compared to the previous year.

David McIlwaine of Pinsent Masons recently endorsed a recommendation by the European Data Protection Board (EDPB) for organisations to develop a ‘handbook’ on handling personal data breaches and he has now said that such a handbook could address a wider range of cyber incidents and reflect incident reporting requirements the organisations face under the NIS Regulations as well as under data protection law.

Also included in DCMS’ plans for reform were broader proposals to change the way DSPs – including managed service providers, as proposed – are regulated under the NIS regime.

Under its plans, a two-tier system of regulation would apply, with ‘critical’ DSPs subject to proactive supervision and remaining DSPs subject to a “reactive regime”. DCMS plans to develop criteria to help identify the most critical providers of digital services. It has suggested factors such as market reach, scale of service, revenue and criticality of services supplied as potentially relevant. Ultimately, it would be for the Information Commissioner’s Office (ICO) to designate providers as ‘critical’.

“Digital service providers regulated on a more proactive basis would be required to more actively demonstrate to the ICO that they have fulfilled their duties under NIS, including maintaining appropriate and proportionate security measures,” DCMS said. “Digital service providers under a reactive regime would have the same duties, but would only be subjected to a lighter-touch supervision.”

The DCMS consultation also contains noteworthy proposals to enable the government to update the NIS regime in future through secondary legislation rather than via an Act of parliament. The government said those powers, which would be subject to some safeguards including a duty to consult, are needed to enable the government to act fast in response to emerging cyber risk in order to, for example, bring new sectors or sub-sectors within the scope of the regulations.

Further plans to enable regulators to recover the full costs they incur in fulfilling their duties under the NIS regime from the organisations subject to the regulations are also set out in the consultation paper.

DCMS has also opened a separate consultation, which closes on 20 March 2022, on how best to support the adoption of standards for cybersecurity professionals developed by the UK Cyber Security Council. The government is considering legislative intervention.

A further new publication, the 2022 cyber security incentives and regulation review, confirmed the UK government is assessing possible further intervention in relation to cybersecurity to “effectively support the economy and society to overcome the main barriers to cyber resilience, without placing unnecessary burdens on organisations”.

Rosie Nance of Pinsent Masons said: “The cybersecurity and incentives regulation review builds on the vision in the national cyber strategy of developing the UK as cyber power. The government’s view of cyber security seems to be as a positive force to strengthen the UK, rather than something undertaken defensively. This view was evident when it said: ‘government cannot leave cyber security solely to the marketplace to deliver widespread improvements in cyber resilience. In order to improve cyber resilience across the economy and society, the government needs to be more proactive and interventionist’."