The Government has revealed plans to strengthen digital supply chains by extending the Network and Information Systems (NIS) Regulations to managed service providers (MSPs).
The Department for Digital, Culture, Media and Sport (DCMS) said it is planning to update the regulations as soon as parliamentary time allows, and will apply them to critical service providers including the NHS and energy companies, along with those of important digital services such as cloud computing and search engines.
It pointed to the role of MSPs in providing IT services such as security monitoring and digital billing and said this makes them attractive targets for cyber criminals.
Other changes will include requiring the services to improve their reporting of cyber incidents to regulators such as Ofcom, Ofgem and the Information Commissioner’s Office. This includes notifying the regulators of a wider range of incidents that could signal a high risk even if they do not immediately cause disruption.
This will be accompanied by the establishment of a cost recovery system for enforcing the regulations that is more transparent and takes into account wider regulatory burdens, company size and other factors.
In addition, the Information Commissioner’s Office will be able to take a more risk based approach to regulating digital services.
Power of amendment
The new measures will also give the Government the power to amend the NIS Regulations in future to ensure they remain effective – possibly by making them apply to more organisations.
Cyber minister Julia Lopez said: “The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states.
“We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”
Paul Maddinson, the National Cyber Security Centre’s director of national resilience and strategy, said: “I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security.
“These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely.”
