UK NIS Regulations: Key legal developments for digital service providers


In 2018, the UK government demonstrated its commitment to managing cyber risks to critical national infrastructure by introducing the Network and Information Systems Regulations 2018 (NIS Regulations). These regulations came into force to improve provide a more consistent approach towards the cybersecurity of companies providing critical services including healthcare, water, energy and infrastructure, and transport. Organisations that provide these services and fail to put in place effective cyber security measures can be fined as much as £17 million for non-compliance.

Due to the growing digitisation of these organisations and their' increasing reliance on digital services, last year the government proposed changes to the NIS Regulations in order to protect essential and digital services against increasingly sophisticated and frequent cyber-attacks.

High profile attacks such as Operation CloudHopper, which targeted managed service providers (MSPs) by allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage and shows that UK’s cyber laws need to be strengthened to continue to protect vital services and the supply chains they rely on.

These revisions are due to be implemented as soon as parliamentary time will allow. This article looks at their potential impact on your business and/or supply chain.

Proposals to amend provisions relating to digital service providers

The regulation of digital service providers will expand to include MSPs which:

  • Are supplied to a client by an external supplier.
  • Involve regular and ongoing service management of data, IT infrastructure, IT networks, IT systems and/or the security thereof.
  • Are categorised as business to business (B2B).
  • Rely on the use of network and information systems.

MSPs will be required to register with the relevant competent authority, the Information Commissioners Office (the ICO) and have appropriate and proportionate security measures in place to ensure their networks are secure.

There will be a requirement to improve cyber incident reporting (regardless of whether or not incidents have caused immediate disruption) to regulators.

A two-tier supervisory regime will be put in place:

  • Tier 1 - for providers of the most critical digital services (proactive) who would be required to actively demonstrate to the ICO that they have fulfilled their duties under the NIS Regulations.
  • Tier 2 - for the remaining providers of regulated digital services (reactive). These providers would be subject to a lighter-touch supervision with regulatory action only being taken when there has been an incident, a credible report of an incident, or failure to implement the requirements of the NIS Regulations.

Recent example:

The Microsoft data breach of October 2022, saw a server misconfiguration that was reported to have caused 65,000+ companies’ data to be leaked.

Proposals to future-proof the UK NIS Regulations

  • Currently, any amendments to the NIS Regulations must be made via primary regulation. A new proposed measure would introduce a delegated power subject to safeguards, by which the government could make amendments to the NIS Regulations to vary the sectors and sub-sectors, which are in scope.
  • The establishment of a new cost recovery scheme for enforcing the NIS Regulations that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden.
  • The Information Commissioner will be able to take a more risk-based approach to regulating digital services under the updated cyber security laws and will be allowed to take into account how critical providers are to supporting the resilience of the UK’s essential services.

What does this mean for you?

Cyber security risks are passed through supply chains. This allows seemingly small players in the supply chain to introduce disproportionately high levels of cyber security risk to multiple organisations.

As soon as the changes to the NIS Regulations are enforced, many companies who either use, provide or rely on the broad range of digital services will need to consider their current cyber security measures, registration with the ICO, incident reporting processes, and duties under the relevant supervisory regime level.

Early advice can go a long way to establish a confident cyber security culture within your business. Please do let us know if you would like to discuss what these changes might mean for you.