UK - The Government announces updates to the NIS Regulations

As part of this update, outsourced IT and managed service providers (MSPs) will be brought into scope of the NIS Regulations, alongside other essential service providers, such as energy, transport, healthcare and water companies and providers of important digital services, such as cloud computing and online search engines. MSPs are described as key to the functioning of essential services that keep the UK economy running, and include outsourced IT providers that provide services such as security monitoring and digital billing, and have privileged access to their customer’s IT networks.

In addition, the updates also introduce wider cyber-security incident reporting requirements to regulators such as UK Office of Communications (Ofcom), the Office of Gas and Electricity Market (Ofgem) and the Information Commissioner’s Office (ICO) for providers of essential and digital services. This includes notifying regulators of a wider range of high risk incidents, even if they do not immediately cause disruption.

The new measures will give the UK Government the power to amend the NIS Regulations in the future to allow more organisations to be brought into scope, if they are considered to be vital for essential services, and add new sectors that may become critical to the UK economy. The press release also states that the ICO will be able to take a more risk-based approach to regulating digital services under the updated cyber laws by taking into account the criticality of providers in supporting the resilience of the UK’s essential services.
The updates to the NIS Regulations are expected to be made shortly, depending on parliamentary review time.

Read the UK Government press release here, the consultation outcomes here and the full Government response to the consultation here.