February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

UK Cyber Laws Extended to Bring Outsourcers and Managed Service Providers into Scope to Strengthen UK’s Resilience Against Online Cyber Attacks

On November 30, 2022, the UK government confirmed that the Network and Information Systems (“NIS”) Regulations 2018 (“NIS Regulations”) will be strengthened to protect essential and digital services against cyber attacks. The changes bring providers of outsourced IT and managed service providers (“MSPs”) into scope of the NIS Regulations. The announcement comes in response to a public consultation held in January this year.

The NIS Regulations came into force in 2018 to improve the cybersecurity of companies providing critical services, such as energy, healthcare, transport and water. In January 2022, the UK government launched a public consultation on proposals to amend the NIS Regulations in order to improve the UK’s cyber resilience. The proposals included seven policy measures to address the increasingly sophisticated and frequent cybersecurity threats facing UK companies. The seven proposals are split across the two pillars as follows:

Pillar I: Proposals to amend provisions relating to digital service providers

  • Expanding the regulation of digital service providers; and

  • The supervisory regime for digital service providers.

Pillar II: Proposals to future-proof the NIS Regulations

  • Delegated power to update the NIS Regulations in the future within its current framework;

  • Delegated power to amend the scope of the NIS regulations to add sectors and subsectors;

  • Measure to regulate critical sectoral dependencies in NIS;

  • Additional incident reporting duties beyond continuity of service; and

  • Full cost recovery for NIS functions.

The changes bring providers of outsourced IT and MSPs that are key to the functioning of essential services into scope of the NIS Regulations. This change will extend the application of the NIS Regulations to important digital services, such as, providers of cloud computing and online search engines.

The changes also introduce new requirements for essential and digital service providers to improve their cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of disruptive incidents or high risk incidents, even if they do not cause disruption.

In addition, the new rules will allow regulators to establish a cost recovery system for enforcing the NIS Regulations that is more transparent and takes into consideration other factors, such as the wider regulatory burdens they face. This will allow for the ICO to take a more risk-based approach to regulating digital services.

The changes will also give the UK government the power to further amend the NIS Regulations in the future. This includes the possibility of bringing more organizations within scope of the NIS Regulations if they become vital for essential services and adding new sectors which may become critical to the UK’s economy.

The government will now proceed with these proposals and amend the NIS Regulations accordingly.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 334

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct