News + Resources

The EU have decided on a significant expansion of the NIS Regulations, broadening and deepening their scope and reach.  In parallel, the UK has set out its proposals, taking a more ‘risk-balanced’ approach. Both approaches have merits – and some risk.  Both demonstrate the importance governments attach to industry doing more to protect itself. The UK approach is particularly interesting – while HMG clearly does not want to increase the regulatory burden on companies, it is signalling very clearly that the regulations can and will be further tightened if the industry proves unable or unwilling to respond appropriately.     

Background

In late November 2022 the UK announced its plans to augment the 2018 Network and Information Systems Regulations, initially adopted in 2018.  The regulations, implemented EU-wide, were intended to ensure that organisations forming ‘critical national infrastructure’ secured their computer systems and networks, and rendered them less vulnerable to cyber attack.  It identified key sectors and gave Governments power to fine organisations up to £17m in the event that they were deemed to have afforded their IT systems and networks insufficient protection in the event of a successful cyber attack. 

The UK announcement was contemporaneous with the EU’s announcement that Member States had to implement additional measures under NISR2, and had 21 months to adopt the regulations into domestic legislation. 

The EU approach is wide ranging.  It not only broadens the scope of organisations to which it applies, but deepens it too, including for example, the managed service providers to organisations operating elements of CNI.  It includes within its focus, for example, the need to make medical devices more secure. It reduces any ambiguity about which organisation are or are not in scope by stipulating that organisations of more than 250 people or €50m turnover (or assets of €43m). It increases supervisory and oversight requirements. It requires more rapid reporting of incidents to Government (down to 24 hours for an initial report; 72 hours for a full assessment). It increases the maximum penalties up to 2% of turnover).  It also includes provisions that make Boards accountable should there be evidence of management failures to take cyber risk management seriously. 

The UK’s approach 

The UK government consulted widely on proposed updates and changes to the regulations. In its proposal released in November 2022, it outlined its preferred approach to upgrading the regulations.  Key amongst its conclusions were: 

• Inclusion in scope of Managed IT Service Providers in critical sectors on whom there were ‘critical dependencies’  
• Taking a risk-based approach to the designation of organisations as OES (Operators of Essential Services) rather than applying blanket formulae for their inclusion 
• The establishment of a cost recovery regime to mitigate the costs to Government of regulating this activity (i.e. the costs of the supervisory regime should be borne by those organisations that have to be supervised – fines and penalties being extra).  While there is no industrial agreement to this proposal, the Government will continue to examine options for recovering the costs of operating the regulatory regime to minimise the costs to the Exchequer  
• The ability to update regulations without having to table primary legislation and giving Government power to add sectors of interest should the need arise (i.e. potential for adding medical devices – already included under EU variant) 
• Broadening the reporting requirement to include those attacks that do not solely affect ‘continuity of service’ 

What does this all mean? 

Both the EU and the UK have recognised that the 2018 regulations needed to evolve.  Performance was patchy, and more needed to be done to bring member states up to standard.  But the UK’s approach is markedly less dirigiste than the EU’s, preferring a more risk-based approach, subjecting the most critical organisations to more up-front scrutiny.  The UK has also recognised that in key sectors of the economy, managed service providers need to be brought into the ambit of the regulations.  

It will take time to see if the divergence in approach will drive different supplier behaviours between the UK and the EU, and whether the bigger MSP companies will seek to arbitrage the difference.   Tighter regulations will cost money to implement (although it could be argued that the current cost base should include these risk management activities already, as the regulations mainly seek to enforce good practice). The UK Government is clearly keen to ensure that organisations forming the critical national infrastructure take responsibility for their cyber security without Government overly specifying how they should do their business – but it has left itself the ability to mandate tougher rules if it needs to, without having to pass more primary legislation.  One of the most notable differences is that the UK, unlike the EU, has not sought to put more responsibility on Company Boards – yet.   

For many of our European clients, we expect national authorities will start to ratchet up the pressure on the Transportation sector to improve cyber security, particularly in protecting strategic exports and imports (food and fuel particularly).  The EU’s method of determining criticality has become more broad-brush – and thereby harder to avoid.   

The development of these regulations also shows the tightrope that all Governments are having to walk.  The more Governments tell industry what to do, the more risk Government assumes. But it is also clear that Governments are clear that they want industry to do more to protect themselves – and are prepared to increase the pressure further if their attempts at persuasion are ignored.  The UK’s approach in particular means that it can include new sectors and increase the pressure for compliance without having to go back to primary legislation – this is a big potential stick which should not be ignored.