NIS cyber fines risk is real, warns expert

Cyber risk specialist Stuart Davey of Pinsent Masons was commenting after the second post-implementation review (PIR2) of the UK’s Network and Information Security (NIS) Regulations was published by the UK government.

The review found that regulators are concerned about a lack of clarity over the grounds for enforcement under the NIS Regulations. The government said it would “consider this in greater depth in the next period, in order to reach a conclusion and rectify the underlying issue”.

Davey said: “While the PIR2 identifies that ‘formalised enforcement tools should only be used as a last resort after engagement is no longer fruitful’, we are currently providing advice in relation to enforcement activity, including threatened financial penalty, brought against an operator of an essential service for alleged breach of the NIS Regulations. This shows that the risk of enforcement action needs to be taken seriously.”

The government’s consultation on reform earlier this year proposed significant amendments to the NIS regime. This includes plans to bring managed service providers within the definition of DSPs subject to the NIS requirements, and new powers that would enable it to designate entities as ‘critical dependencies’ that operators of essential services rely on, and subject them to the same requirements the operators face under the NIS framework. The PIR2 said that “additional levers are being explored” beyond the NIS-related proposals to “diminish the overall level of risk posed by supply chain providers”. 

The review also found fault with the current incident reporting regime under the NIS Regulations. It said the thresholds for reporting “are too high” and that the definition of a reportable incident under the legislation “is too narrow in scope to capture all the most high-risk incidents”. The review said, however, that the government’s proposals to alter the incident reporting rules should, though, make it easier for industry to understand their reporting obligations and ultimately bolster the UK’s cyber resilience.

Another area where room for improvement was identified is over the difficulty some digital service providers have said they have with identifying whether their business is in scope of the NIS regime. In-scope DSPs must register with the Information Commissioner’s Office (ICO), which is the relevant regulator under the NIS Regulations for DSPs. The government said it will consider boosting the ICO’s information-gathering powers to help it “ensure that the right entities are registered”.

Measures are also proposed to help regulators to recover the cost of regulating under the NIS regime, while stronger collaboration between regulators is also being considered “to improve resource-efficiency”.

Greater cross-sector consistency in the way the NIS Regulations are implemented is also needed, according to the review. The review urged the government to update guidance for regulators, explore making the guidance “more binding”, as well as compel regulators to report against common “performance indicators” and hold them “accountable for their performance”.

Davey said: “This year we have seen a number of competent authorities issue updated – and more comprehensive – guidance to the operators of essential service in their sector. This appears to, in part, address some of the criticisms raised against competent authorities in the first years of NIS being in force.”

Following Brexit, there is scope for UK and EU law in many areas to diverge. This includes in the context of the NIS regime. Earlier this year EU law makers reached a deal on a proposed ‘NIS2’, which would expand the EU NIS regime to more organisations. Davey said that it will be interesting to monitor how the position in the EU differs to any changes which might flow from the UK’s PIR2.

The next post-implementation review of the NIS Regulations is not scheduled until 2027.