UK Government consults on tighter cyber regulation for managed service providers

On 22 January 2022, the UK government launched two consultations seeking views on proposals made by the Department for Digital, Culture, Media and Sport ("DCMS") to improve the UK's cyber resilience, part of the UK's new £2.6 billion National Cyber Strategy launched at the end of last year. The consultation is open until 22 April 2022. Proposed changes will affect, in particular, managed IT service providers such as those offering remote security operations, automatic patching and digital accounts and billing, which will be brought within the reach of the Network and Information Systems (NIS) Regulations 2018 for the first time.

Current NIS Regulations

The aim of the UK Network and Information Systems Regulations 2018 is to maintain security of critical national infrastructure. The Regulations establish legal measures to strengthen the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of essential UK services, such as transport, energy, water, digital infrastructure, and health, as well as digital services.

Why is the legislative change proposed?

Over the course of the last year, the UK's National Cyber Security Centre has faced an unprecedented increase in the volume of cyber security incidents to which it has had to respond. There have also recently been a number of high profile cyberattacks, both domestically and abroad, such as the Solarwinds supply chain compromise in December 2020 and the ransomware attack on the Colonial Pipeline in May 2020 (see our article on preventing ransomware and cyberattacks). Such attacks demonstrate how critical services and infrastructure can be impacted and highlight the increasing sophistication of threats to the UK's cyber resilience.

The consultations

The two consultations are divided into three distinct pillars. Pillars one and two make proposed changes to the NIS. Pillar three proposes considerations for the standardisation of the cyber security profession, so that consistent competency standards are embedded across the cyber profession.

Pillar One

Proposals in pillar one seek to expand the scope of digital service providers within the scope of the NIS Regulations to include 'managed service providers'. The proposals also establish a new risk-based and proportionate supervisory framework for all digital service providers in scope of the NIS Regulations. It is envisaged that together these proposed measures will strengthen the oversight of providers who frequently have privileged access and provide critical support to essential UK services, and ensure that these businesses have adequate cyber security protections in place.

Pillar Two

Proposals in the second pillar seek to future-proof the NIS Regulations, by allowing changes to be implemented so the UK can adapt to evolving threats and technological developments. The government proposes powers to allow important updates to the NIS framework in the future, either to respond to changing threats or technology or to cover other areas as necessary, as well as provisions to secure the most critical organisations on which essential services depend.

The government would also propose to extend the current cost recovery system so that costs incurred by competent authorities (e.g. the Information Commissioner's Office ("ICO")) can be recovered from the companies that they regulate, and to expand the incident reporting framework (currently limited to incidents that impact on service) under the NIS Regulations. These proposed measures seek to address some of the supply chain cyber security issues which have arisen over the last two years and which the government states will continue to proliferate if no change is made.

Characteristics of Managed Services

Service providers will qualify as 'managed service providers' under the revised scope of Regulations if the services they provide:

• are supplied to external clients by the supplier;
• involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems;
• are categorised as B2B rather than B2C (business to consumer) services; and
• The provision of the services relies on network and information systems.

A non-exhaustive list of the types of service the government is proposing to bring into the digital services provider scope is provided in Annex 1 of the proposal, and is reproduced in the list below:

Workplace services

• Managed print services; Managed desktop/virtual desktop

Managed Network support services

• Wide Area Network (WAN) support services ; Local Area Network (LAN) support services

Consulting

• Online security or technology advisory services

Security Services

• Managed Security Operations Centre (SOC) ; Security Monitoring (SIEM); Incident response ; Threat and vulnerability management (TVM) ; Business Process Outsourcing services (front office/back office, onshore, nearshore or offshore e.g. payroll, accounting, regulatory compliance) ; IT Outsourcing services (ITO); Service integration and management (TVM)

Analytics and Artificial Intelligence (AI)

• Interactive services (virtual client services) ; Data analytics, automation, optimisation and management services

Business Continuity and Disaster Recovery Services

• Planning and implementation ; Rehearsal environments ; Backup services

Software Engineering – Managed service provider develops source code, maintains source code, stores source code in its own repository

• DevOps – often cloud-based, featuring Agile development techniques (e.g. Scrum, XP) ; Application Modernization – remediation and migration of legacy software to cloud platforms ; Application Management – run and maintain services, security and patching ; Data centres, digital infrastructure, hardware resellers and not directly within scope of this measure in of themselves, unless they form part of the network and information systems that support the provision of a managed service.

A further consideration in the consultation is whether, in addition to having the above characteristics, to be regulated as a 'digital services provider', a provider would also have to:

• have privileged access or connectivity to a customer's data, IT infrastructure, IT networks and/or IT systems; or
• perform essential or sensitive functions, such as the processing and/or storage of confidential or business-critical data.

Narrowing the definition would limit the entities in scope but could have an impact on the UK's resilience should entities falling outside the narrow definition provide services posing a systemic risk. On the other hand, it is acknowledged that keeping the definition wide risks bringing too many organisations within the scope of the NIS Regulations, which may not be appropriate for them and increases the regulatory burden for them and the regulator.

Requirement Once Under Scope of NIS Regulations

'Managed service' providers brought under scope of the NIS regulations would be required to register with the relevant competent authority (the ICO) and have appropriate and proportionate security measures in place to ensure that their own network and information systems are secure. They would also be required to report relevant incidents to their competent authority.

If not already in place, it will be critical that such providers prepare their business to undertake rigorous independent audits and ensure compliance with the security expectations of the ICO, which is expected to be determined through guidance.

Costs for Entities Brought under Scope of NIS Regulations

• Initial Administrative Costs as 'managed service' providers familiarise themselves with the legislation and its implications.
• Increases in cyber security spending in order to meet the security requirements set out by the ICO. There is both a one-time – to reflect initial improvement – and an ongoing cost element – to meet any changes to standard.
• Ongoing incident reporting costs – firms will be required to report cyber security incidents that are above the threshold to the ICO.

'Managed service providers' affected will need, under the proposed legislative change, to be ready to address the prospect of the same security requirements as operators of essential services. Ultimately, the risk is potential fines of up to £17 million for serious cyber incidents. The government makes clear that these providers play a vital role in the nation's critical infrastructure and have a responsibility to deliver a universal, end-to-end approach to cyber security.

In strengthening the oversight of critical digital suppliers, existing cyber regulation and improving the UK's cyber security profession, the DCMS aims to solidify the UK's position as a democratic and responsible cyber power and protect essential services (such as the NHS, transport services, digital services and energy supplies). This will in turn defend the interests, livelihoods and economic prosperity of the UK's people and businesses.

The current proposals are open until the 10 April 2022 with the ability to submit comments directly to the NIS Directive Team by responding online, by email or by post.

In addition to these proposals to tighten cyber resilience in the UK, the approach in Europe is also evolving – find out what you need to know about the second network and information security directive proposal.

To understand more on the UK's cyber resilience consultation, or to discuss what the proposed legislation changes could mean for your business, please speak to Helen Davenport.