Businesses subject to cybersecurity regulations in the UK need to take the risk of enforcement seriously, despite findings from a recent review of the legislation, an expert has said.
Cyber risk specialist Stuart Davey of Pinsent Masons was commenting after the second post-implementation review (PIR2) of the UK’s Network and Information Security (NIS) Regulations was published by the UK government.
The review found that the Regulations have largely been successful in achieving the objective “to prevent (where possible) and improve the levels of protection against network and information systems incidents”, but also identified areas for improvement – some of which are addressed by government proposals for reform of the NIS regime set out earlier this year.
The NIS Regulations, which took effect in 2018 and originally derived from EU law, provide for two separate regimes of cybersecurity regulation – one that applies to operators of ‘essential’ services across critical infrastructure such as in health, energy and transport; and one that applies to ‘digital service providers’ (DSPs) specifically. Perhaps the most notable aspects of each regime are the requirements for cybersecurity measures to be put in place and in relation to incident reporting.
Enforcement is one of the areas of the NIS regime that the PIR2 identified could be improved.
The NIS regime was updated in 2020 to “make the enforcement framework more robust”, the government said, but the review found that UK regulators are using the enforcement tools available to them – which include information-gathering powers and powers to compel businesses to change their practices via enforcement notices – less often than is merited. Regulators also have the power to issue fines of up to £17 million for the most severe material contraventions of the legislation, but to-date no fines have been issued at all under the NIS regime.
The review found that regulators are concerned about a lack of clarity over the grounds for enforcement under the NIS Regulations. The government said it would “consider this in greater depth in the next period, in order to reach a conclusion and rectify the underlying issue”.
Davey said: “While the PIR2 identifies that ‘formalised enforcement tools should only be used as a last resort after engagement is no longer fruitful’, we are currently providing advice in relation to enforcement activity, including threatened financial penalty, brought against an operator of an essential service for alleged breach of the NIS Regulations. This shows that the risk of enforcement action needs to be taken seriously.”
The government’s consultation on reform earlier this year proposed significant amendments to the NIS regime. This includes plans to bring managed service providers within the definition of DSPs subject to the NIS requirements, and new powers that would enable it to designate entities as ‘critical dependencies’ that operators of essential services rely on, and subject them to the same requirements the operators face under the NIS framework. The PIR2 said that “additional levers are being explored” beyond the NIS-related proposals to “diminish the overall level of risk posed by supply chain providers”.
The review also found fault with the current incident reporting regime under the NIS Regulations. It said the thresholds for reporting “are too high” and that the definition of a reportable incident under the legislation “is too narrow in scope to capture all the most high-risk incidents”. The review said, however, that the government’s proposals to alter the incident reporting rules should, though, make it easier for industry to understand their reporting obligations and ultimately bolster the UK’s cyber resilience.
Another area where room for improvement was identified is over the difficulty some digital service providers have said they have with identifying whether their business is in scope of the NIS regime. In-scope DSPs must register with the Information Commissioner’s Office (ICO), which is the relevant regulator under the NIS Regulations for DSPs. The government said it will consider boosting the ICO’s information-gathering powers to help it “ensure that the right entities are registered”.
Measures are also proposed to help regulators to recover the cost of regulating under the NIS regime, while stronger collaboration between regulators is also being considered “to improve resource-efficiency”.
Greater cross-sector consistency in the way the NIS Regulations are implemented is also needed, according to the review. The review urged the government to update guidance for regulators, explore making the guidance “more binding”, as well as compel regulators to report against common “performance indicators” and hold them “accountable for their performance”.
Davey said: “This year we have seen a number of competent authorities issue updated – and more comprehensive – guidance to the operators of essential service in their sector. This appears to, in part, address some of the criticisms raised against competent authorities in the first years of NIS being in force.”
Following Brexit, there is scope for UK and EU law in many areas to diverge. This includes in the context of the NIS regime. Earlier this year EU law makers reached a deal on a proposed ‘NIS2’, which would expand the EU NIS regime to more organisations. Davey said that it will be interesting to monitor how the position in the EU differs to any changes which might flow from the UK’s PIR2.
The next post-implementation review of the NIS Regulations is not scheduled until 2027.
Contact an adviser
