The NIS Regulations to expand to bring outsourced IT providers and managed service providers into scope
The UK's Network and Information Systems ("NIS") Regulations came into force in May 2018 to boost the level of security of network and information systems for the provision of essential services, such as transport, energy, water, health and digital infrastructure ("operators of essential services (OES)"). These Regulations also applied to digital services, such as online marketplaces, online search engines and cloud computing services ("relevant digital service providers (RDSPs)"). The NIS Regulations were introduced as a response to the security threat, resulting from essential industries becoming more reliant on technology.
The NIS Regulations were intended to create a common level of security for network and information systems to provide adequate protection against cyber-attacks.
The past few years have resulted in a rapid move to digitalisation, due in part to the impact of COVID-19. Accordingly, essential services are increasingly dependent on network and information systems and digital supply chains. There has also been a wave of high-profile cyber-attacks on critical industries, such as the December 2020 SolarWinds supply chain compromise, the May 2021 ransomware attack on the US Colonial Pipeline, and the July 2021 attack on Kaseya. These incidents demonstrated how a country's national security and wider economy could be disrupted via attacks on single providers.
Entities such as outsourced IT providers and managed service providers ("MSPs"), to the extent they existed at all, played a different role when the first NIS Regulations were drafted. Some MSPs now have automatic access to networks of thousands of other companies. Threat actors could target just one of these entities and be able to access a significant number of other company networks as a result.
The new proposals bring outsourced IT providers and MSPs within scope of the regulatory framework to ensure that these entities have appropriate cyber security measures in place and can be regulated effectively. The measures are due to be implemented as soon as parliamentary time will allow.
Supply chain security risks
Cyber security risks can be found within an organisation's supply chain as well as in direct threats to its own environment. This challenge is particularly relevant, given the growing reliance of many organisations on companies who provide essential outsourced services with privileged access to internal systems.
We see instances of supply chain security risks on a day-to-day basis, while providing advice to different companies who are impacted by cyber-attacks. For example, we have assisted organisations that provide managed services to numerous customers. We have seen instances of those clients suffering a ransomware attack involving encryption, which meant that the services are unavailable to customers. This impacts the clients' operations and has a potential knock-on effect on the customers who relied upon the clients' services to manage their own businesses. The net result can be a significant impact on the clients in terms of substantial losses in profits and staff time. But also, a wider impact on customers which, whilst harder to quantify, could in some cases be significant.
In other situations, we have seen clients, who have relied on cloud services providers to host their emails, impacted when the service provider has been hit by a ransomware attack. In these circumstances, the clients' historic emails have been lost. This can impact day-to-day operations and also their ability to receive new business. The service provider may be a large company with considerable bargaining power. In such cases, the contracts with the service provider might provide the clients with only limited recourse against the service provider.
For many businesses that suffer from the inability to negotiate terms with MSPs for improved cyber security measures, there is arguably a need for legislation to enforce such measures outside of contractual provisions. Of course, the potential impact is even greater where clients of the MSPs and outsourced providers include Government departments and/or critical infrastructure.
The UK Government is keen to tackle this new cyber security threat in a way that does not stunt the valuable growth that is propagated by MSPs and outsourced IT services. The measures outlined in the initial consultation have been divided into three "Pillars." However, only the first two pillars have been consulted on:
Pillar I: Proposals to bring additional critical providers of digital services into the UK’s cyber security regulatory framework. This is intended to ensure that those providers who frequently have privileged access and provide critical support to essential UK services have adequate cyber security protections in place and can be regulated effectively and proactively. Previously, with no baseline in place, it was difficult for UK companies to demand increased security measures or oversight of MSPs, especially when dealing with large suppliers. The proposed measures will expand the scope of "digital service" to include "managed services," which play an essential role in supporting the UK economy and are critical to the functioning of essential services in the UK.
MSPs will be required to register with the relevant competent authority (the ICO) and have appropriate and proportionate security measures in place to ensure their networks are secure.
Further changes will require essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This will include notifying regulators of a wider range of incidents that disrupt service, or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
The Government proposes to establish a two-tier supervisory regime for digital service providers within the scope of the updated NIS Regulations. This will involve a proactive supervisory regime for the most critical digital services and a reactive supervisory regime for the remaining digital services regulated under the NIS Regulations.
Digital service providers regulated on a more proactive basis would be required to actively demonstrate to the ICO that they have fulfilled their duties under NIS, including maintaining appropriate and proportionate security measures. Digital service providers under a reactive regime would have the same duties but would be subjected to a lighter-touch supervision – with regulatory action only being taken when there has been an incident, or a credible report of an incident or failure to implement the requirements of the NIS Regulations.
There is an existing exemption for small and micro-businesses from the digital service provisions. However, due to risks highlighted by recent incidents the department for Digital, Culture, Media & Sport are considering whether this exemption is still proportionate to the risk.
Pillar II: Proposals to future-proof the UK’s existing cyber security legislation. The UK government currently has no power to make policy updates to the NIS Regulations directly and all amendments must be done via primary regulation. These processes do not complement the everchanging sectors that the NIS Regulations regulate. Without power to make changes through secondary legislation, the concern is that the NIS Regulations could be less effective, as emerging threats to the security of networks and information systems might not be counteracted as effectively if regulators cannot intervene promptly. This proposal therefore assists in the Government's ability to adapt to potential changes in threat and technological developments.
The proposed measure would take the form of a delegated power, by which the UK government may make amendments to the NIS Regulations in order to vary the sectors and sub-sectors which are in scope. The power would be subject to safeguards and limitations, to ensure that it is appropriate, proportionate, and does not go beyond its intended objective.
Who this impacts and when changes will be implemented
The changes bring providers of outsourced IT and MSPs that are key to the functioning of essential services into scope of the NIS Regulations. The updates to the NIS Regulations are to be made as soon as parliamentary time allows, according to the UK Government.
MSP and outsourced IT are defined as those services which:
- are supplied to a client by an external supplier.
- involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems;
- are categorised as business to business (B2B) rather than business to consumer (B2C) services; and
- rely on network and information systems.
There is also to be further consideration of introducing risk-based characteristics into the definition of a managed service. The hope in doing so would be to ensure that the managed services brought into scope are those which would have the most substantial impact on the UK’s resilience should they be disrupted.
Under this approach, as well as having the above characteristics, to be regulated as “digital services” under the NIS Regulations 2018, a service would have to:
- have privileged access or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems; or
- perform essential or sensitive functions, such as the processing and/or storage of confidential or business-critical data
Services that meet these characteristics will be required to comply with the requirements and duties set out in NIS Regulations 2018. Examples of MSPs include providers of remote security operations, automatic patching, digital accounts and billing.
Once amendments to the NIS Regulations are enforced, many companies who provide the broad range of services described above will need to react to the NIS Regulations by considering their cyber security measures and reporting to relevant authorities when certain incidents occur. While complying with these Regulations may appear burdensome, doing so could improve security for both MSPs and the companies they assist. If so, this could go some way towards addressing a supply chain issue which has become an increasing concern.