Authors: James Clark and David Cook
The UK government has published its plans to amend the Network and Information Systems Regulations 2018. The reforms will lead to many more IT companies falling within the scope of the Regulations as ‘Digital Service Providers’ and will expand incident reporting obligations. A two-tiered regime for Digital Service Providers – the details of which are not fully clear – will also be introduced. The changes have been announced just as the EU has approved implementation of the Network and Information Security Directive 2 (“NIS2”), and there are interesting points of comparison between the two parallel sets of reform.
Expanded scope of Digital Service Providers
Under the current Regulations, the definition of a Digital Service Provider (“DSP”), a regulated entity, is limited to search engines, online marketplaces and cloud computing service providers. DSPs have both registration and incident reporting obligations. The government now plans to expand the scope of DSPs to include ‘managed service providers’. This refers to scenarios where the customer relies on the service provider’s network and information systems for the delivery of at least one of a wide range of ‘managed services’, for example: service integration and management (SIAM); business continuity and disaster recovery services; various forms of business process outsourcing (BPO); and managed security services (such as a managed security operations centre, security monitoring and threat and vulnerability management). It is to be noted that this broad definition does not, however, encompass traditional data centre services.
Through this change, the government is bringing into the scope of the Regulations a broad swathe of IT service providers whose infrastructure is relied upon by customers, including UK critical national infrastructure customers, for the delivery of important technology operations.
Two-tier regime for Digital Service Providers
One of the more interesting reforms is the plan to create a ‘two-tier regime’ for the regulation of DSPs. Specifically, the government intends to distinguish between lighter-touch ‘reactive’ (ex-post) regulation for some DSPs, and a more intensive ‘proactive’ (ex-ante) regime for others.
Those DSPs whose services are particularly critical to the country’s cyber resilience will fall within the more intensive regime. The government plans to entrust the Information Commissioner’s Office (ICO) to develop criteria for identifying these ‘critical’ DSPs. The criteria are still to be determined but are intended to be flexible and subject to revision over time, as the nature of the nation’s dependency on certain IT services evolves.
Critical DSPs will be monitored by the ICO and will be expected to demonstrate their security resilience on an active and ongoing basis.
Regulation of ‘critical dependencies’
In addition to regulating managed service providers as DSPs, the government intends to also begin regulating critical suppliers to ‘operators of essential services’.
An operator of an essential service is a supplier of one of a defined number of services that is deemed critical to the national infrastructure (e.g., water, energy, transport). It therefore includes, for example, water companies, energy firms, hospital trusts and rail operators. Under the current Regulations, such operators have broad obligations to maintain appropriate security measures, are subject to audits from their competent authorities on those measures; and also have incident reporting obligations.
The government now wants to close what it considers to be an important gap, whereby many operators of essential services are dependent on third party infrastructure for critical parts of their service provision, but those third parties are not themselves subject to the Regulations. The government therefore intends to adopt powers to designate entities as ‘critical dependencies’ and require those organisations to comply with the same duties and obligations as operators of essential services.
Unlike the inclusion of managed service providers as DSPs, the details of this element of the reform have not yet been finalised, and the government will need to work with sector specific competent authorities to develop the relevant criteria for identifying ‘critical dependencies’. However, as these third parties will primarily be providers of IT related services, it remains to be seen how the overlap between DSPs and critical dependencies will be managed, and whether some companies will be subject to dual regulation.
Expanded notification obligations
Cyber incidents are only reportable under the Regulations if they impact the provision of the essential (or digital) services. This means that operators of essential services or relevant digital service providers may suffer a significant incident – e.g., a ransomware attack impacting their entire HR database – which would not be reportable under the Regulations if the organisation in question is still able to provide its essential (or digital) service. Despite an incident potentially demonstrating underlying system insecurity or the potential for further issues, the NIS regulator would not be made aware of it.
The government therefore wants to expand the scope of this obligation to include incidents that, whilst not affecting the continuity of the service directly, nonetheless pose a significant risk to the security and resilience of the organisation in question. The rationale is that some incidents are significant enough that, even where the organisation can continue providing its essential service, the government would want to know about the wider potential impact on critical national infrastructure. As with the ‘critical dependencies’ reform, the details of this change are still to be determined.
Comparison with EU NIS2
The Regulations are the result of the UK’s transposition, whilst still an EU Member State, of the 2016 Network and Information Systems Directive. In the UK’s absence, the 27 remaining Member States have now finalised their own reforms to the NIS regime, resulting in NIS2.
The EU’s reforms envisage a wider range of sectors being caught under the operator of essential services regime, something which the UK is not planning (focusing instead on bringing into scope the ‘critical dependencies’ of already-regulated sectors). In another change not contemplated by the UK, the EU is adding a stricter 24-hour timeframe to the incident reporting obligation.
As the two regimes bed in, organisations providing essential and digital services across the UK and EU will need to adapt themselves to stricter, but diverging, regulation in both jurisdictions.