The Network and Information Systems Regulations 2018 (NIS Regulations) are the main legislative vehicle for promoting the security of networks underpinning the UK’s essential and digital services.
In the last quarter of 2022 the European Council formally adopted legislation for a high common level of cybersecurity across the Union, to further improve the incident and response capabilities of both the public and private sector and the EU as a whole. The new directive will be called NIS2 (EU NIS2) and will replace the current NIS directive. Although the EU NIS2 Directive is now in effect, member states have 21 months to incorporate its provisions into their national law.
In the same week of the adoption of EU NIS2 the UK Government confirmed that it will move forward with plans to update the NIS Regulations based on the responses to its consultation launched in January 2022 on the proposals for legislation to improve the UK’s cyber resilience. These are currently expected to be implemented and brought into force some time in 2024.
This article provides a summary of the proposed amendments to the NIS Regulations in respect of its extended application to digital service providers and the establishment of a risk-based supervisory regime.
Scope of consultation
The aforementioned proposals were split across two pillars namely:
- Pillar 1 – proposals to amend provisions relating to digital service providers. This pillar included the proposals for expanding the regulation of digital service providers and the supervisory regime.
- Pillar II – proposals to future proof the UK NIS regulations. This pillar included proposals for delegated powers to update and amend the scope of the NIS Regulations and proposals for additional incident reporting duties beyond continuity of service.
Expansion of the scope of regulation to providers of digital managed services
Currently the NIS Regulations apply to operators of essential services and relevant digital service providers.
Generally speaking, operators of essential services are those operating in the electricity, oil, gas, air transport, water transport, rail transport, road transport, healthcare, drinking water supply and distribution and digital infrastructure subsectors.
Relevant digital service providers are anyone who provides an online marketplace, online search engines or a cloud computing service.
The NIS Regulations are to be expanded to apply to the providers of digital managed services and accordingly, the provision of such managed services will be subject to such regulations.
It is currently proposed that the characteristics of digital managed services that will be included are:
- The managed service is provided by one business to another business
- The service is related to the provision of IT services, such as systems, infrastructure, networks and/or security
- The service relies on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties
- The service provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network and/or the security thereof
The published list of example services which would fall within the scope of a managed service includes:
- IT outsourcing services
- Private WAN managed services
- Private LAN managed services
- Service integration and management (SIAM)
- Application modernisation
- Application management
- Managed security operations centre (SOC)
- Security monitoring (SIEM)
- Incident response
- Threat and vulnerability management
At present the UK Government is not proposing to bring data centres within the remit of the NIS Regulation but this is being kept under review. It does however, point out that some data centres may be captured within the scope of NIS through the use by cloud service providers and similarly through forming part of the network and information systems that support the provision of a managed service or managed security service.
The current intention is that there will be an exemption for small or micro businesses from the NIS Regulations but the Information Commissioner will have the power to designate them as being in scope if the business in question is deemed systematically critical to the UK’s critical services or national security.
Proposed supervisory regime of digital service providers
The Government had consulted on proposals to establish a two-tier supervisory regime for those digital services providers falling within the expanded scope of the NIS Regulations. This would be the establishment of a proactive supervisory regime for the most critical digital services and a reactive supervisory regime for the remaining digital services. However, based on consultation feedback it has decided that this could be problematic and that it would therefore consider a more flexible, risk-based approach.
The current thinking is that the supervisory approach will be implemented through non-legislative means with the Information Commissioner being given responsibility for how it will regulate digital services and how it will identify and assess those digital service providers which play the most critical role in supporting the resilience of the UK’s essential services.
Implications
Under the amended NIS regulations, a wider range of organisations will be caught by them. Organisations will also need to ascertain to what extent they fall under the UK NIS Regulations, the EU NIS2 regime or both and then determine the measures they need to take to ensure compliance. Measures may include investing in new technologies and security systems or updating processes and procedures for reporting incidents to relevant authorities such as Ofcom, Ofgem, and the Information Commissioner's Office.
The consequences for non-compliance of the UK NIS Regulations includes regulatory sanctions such as fines of up to £17m. However, the ramifications of non-compliance could also result in claims for contractual breach and associated reputational damage.
The future
It is inevitable that as the UK economy becomes increasingly reliant on digital infrastructure and security that it will be subject to more regulation. Accordingly the expansion of the NIS regulations is expected to increase the focus on the importance of protecting network and information systems, encouraging organisations to take a more proactive approach to cybersecurity and prioritise the protection of their systems. This will improve the overall cyber security of critical infrastructure in the UK, helping to protect against potential disruptions to essential services and ensuring that organisations are better equipped to respond to and recover from cyber-attacks.
Related expertise
You may be interested in...
Press Release
Browne Jacobson advise Leicestershire based tech compliance specialists Obsequio Group on two key investment deals for build and buy strategy
Published Article
ClientEarth claim may expand scope of directors' duties
Legal Update - ESG in 3D
ESG in 3D - March 2023 (Edition 3)
Published Article
Why are we waiting? Importance of solar, wind, battery storage
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Press Release
Browne Jacobson collaborates with The GLAA and University of Nottingham to tackle modern slavery and human trafficking
Press Release
Law firm Browne Jacobson appointed to work alongside the Government Legal Department - the Department for Environment, Food & Rural Affairs
Legal Update - The Word
The Word, February 2023
On-Demand
NSIA: the thorn in the side of M&A?
Legal Update
Cyber security and data breaches
Opinion
The Solicitors Regulation Authority has approval to take over from the Solicitors Indemnity Fund
Published Article
Digital Twin Technologies: key legal contractual considerations
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
The rising number of cyber-attacks
Legal Update
The continued threat of piracy in Southeast Asian waters
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Published Article
Reaching cloud nine? Public procurement for cloud-based services
Press Release
Browne Jacobson's London FinTech team celebrate new Chambers 2023 rankings
Press Release - #BeingBrowneJacobson
Driving positive change through investment: a corporate associate advising in the energy sector
Press Release
Browne Jacobson advises Superscript on £45m Series B funding round to transform its SME insurtech offering
Press Release
Manchester dealmakers advise Maven Capital Partners on £1m investment in fintech disruptor Nivo Solutions
Published Article
Consumer duty part 3 - 'The drill-down' into the 'cross-cutting' rules
Press Release
Browne Jacobson appoints former KPMG senior partner as Non-Executive Director of its Energy & Infrastructure sector group
On-Demand
Automotive webinar - EV charging points: contractual and liability issues to be aware of
Press Release
Browne Jacobson advises LDC on investment in water and environmental sustainability specialist Stonbury
Legal Update
Updated Greening Government Commitments 2021 – 2025 published
Legal Update
Protecting children and their data in the online environment
Opinion
Staying warm at work
Guide
FAQs for startups
Below are some of the questions we are regularly asked by startups, covering a range of topic areas.
Legal Update
‘Big Game Hunting’ – the new face of cyber extortion?
Legal Update - The Word
The Word, December 2022
Legal Update - ESG in 3D
ESG in 3D, December 2022
Legal Update
Long live king coal?
Article
‘Decentralised and autonomous’ – evolution or misunderstanding of unincorporated association law?
Press Release
International leading digital disruption expert joins Browne Jacobson
Published Article
How AI and technology can transform the healthcare sector
On-Demand
The UK's green agenda - the outcomes of COP27 and actions since COP26
Press Release - #BeingBrowneJacobson
Browne Jacobson helps the Civil Aviation Authority take off with its modernisation masterplan
Press Release
Law firm Browne Jacobson reveals strategic growth plan for new Dublin office
UK law firm Browne Jacobson, which opened its first overseas office in Dublin in September, has outlined its strategic plans to grow its legal team over the next four years.
Press Release
Bishopsgate and Browne Jacobson advise on US firm’s acquisition of Notts based tech services business Custard
Bishopsgate Corporate Finance and law firm Browne Jacobson have jointly advised on the acquisition of award-winning tech solutions business, Custard Technical Services by US managers services and cyber security provider, Thrive.