Helen Davenport provides an update on the changes to the NIS Regulations and highlights the companies caught by these changes.

Transcript

Helen Davenport: Hello everyone, my name is Helen Davenport and I am a Partner in the Commercial Litigation Team at Gowling WLG and in particular, I lead our Cyber Security and Contentious Data Privacy work. We are an international law firm with 18 offices across the world, working across a wide variety of sectors and services including technology, financial services, government and real estate.

I will be talking to you today about the NIS Regulations as this is an area in which we may see some new laws coming up the track so an interesting one to watch.

Now before we get into what the new laws might look like, let us just have a little reminder of that the NIS Regulations are. So of course, these came into force on 10 May 2018. They implemented the EU Cyber Security Directive 2016 prior to obviously us Brexiting. The aim of the Regulations is to maintain the security of critical national infrastructure and in particular the network and information systems that are critical for the provision of the essential UK services and digital services.

Now if you are an organisation and are caught by the NIS Regulations you will be familiar with this but if not just bear with me for a moment just while I run through the scope and the effect. So the organisations in scope of the NIS Regulations providing are businesses providing certain essential services and they are referred to as operators of essential services or OES' and relevant digital service providers, RDSP's and they are required to register with the relevant competent authorities, they have to meet a baseline level of Cyber Security requirements and they have to report any incident which has a significant impact on the continuity of the essential services.

Now just to drill down into that a little bit more, how do you know if you are an OES caught within the regulations. Well for the operators of essential services that covers a number of identified sectors and those are energy, transport, health, drinking water supply and distribution and also digital infrastructure and then those are in turn broken down in two sub-sectors and then for each of those sub-sectors there are designated competent authorities and threshold requirements for a business or organisation to see if it is caught and I have just drilled down into one particular example to try not clutter the slide too much but in the area of drinking water supply and distribution you can see that there are a number of designated competent authorities for each of the areas of the UK and the threshold requirement there is for the essential service of supply of possible water in the United Kingdom it is where the supply of water is to 200,000 or more people. So that is OES' and how you would know if you were caught.

Moving on to relevant Digital Service Providers. Now those to be caught that's where a provider provides a digital service in the UK which might be an online market place, an online search engine or a cloud computing service and there are definitions for those in the regulations and organisations that are caught where they have a head office for that provider in the UK or that provider has nominated a representative established in the UK and then there is a carve-out for micro or small enterprises and the competent authority in the case of digital service providers is the ICO.

Now I said I was going to be talking about some potential new laws and in particular talking about the UK Government's current thinking in this area.

So during the last 12 months or so, the UK Government has launched two calls for reviews, one on amending the NIS Regulations and another one on supply chain security. More recently DCMS launched two consultations in January 2022 and those ended in March and April of this year respectively and they are principally geared at having a new legal framework to improve cyber resilience and why is the UK Government thinking about that?  Principally for three reasons.

  1. There is an increasing awareness of cyber security and that was identified in the most recent DCMS Cyber Breach Survey that came out at the end of March. So an increasing awareness, it is on the agenda, but unfortunately action lags behind that awareness in terms of doing something about cyber security, so that is the first reason.
  2. The second reason is the National Cyber Security Centre is seeing an increased number of incidents and is helping organisations manage an increasing number of incidents, both in the UK and we are also seeing obviously incidents worldwide as well and increasingly high profile incidents.
  3. Thirdly, there is a recognition of supply chain risk and there is actually an increased reliance on centralised IT services and the concern there is that a small number of organisations in the supply chain are actually carrying a high risk in comparison, that has the potential to impact on a huge number of organisations that they service. So this is all in line with the Government Cyber Security Strategy for 2022.

So drilling down a bit more into those consultations, so there were two consultations covering three pillars. In Pillar 1 of Consultation 1, so the focus there was about amending the NIS regulations and two key changes, the first one to bring managed service providers into the scope of the NIS regulations and the second one is that digital service providers who have the most privileged access or provide critical services to organisations, they would have a risk based enforcement regulatory regime, so that actually those that are in the category that I have just described would have proactive supervision from the ICO and reactive supervision from the others.

In Pillar 2 of the second consultations, the focus here is around future proofing the NIS regulations. Three key changes here. The first one to actually give the government the power to make quicker changes to the regulations going forward, so that they can respond to threats more quickly. The second one to change the reporting thresholds, so at the moment it is just incidents that will have an impact on service, but the proposal there is to increase the incidents that would need to be reported and thirdly the introduction or an expansion of the cost recovery regimes, so that actually the organisations within the scope of the NIS regulations would bear the cost of the competent authorities regulating them.

In the third Pillar, Consultation 2, that is focussed on boosting the cyber security profession, so increased standards, so if organisations obviously need to draw on the expertise of cyber security professionals, there is a regime there that makes it easier to see who has the requisite expertise.

In the next part of the session, I am just going to focus on the managed service providers chain, so that is within the first consultation, given the potential significance this has on supply chain cyber resilience.

So who might be caught by being a managed service provider?  Well the consultation currently proposes that an organisation would qualify as a managed service provider if the services it provides are supplied to external clients by its supplier. They involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems. They are categorised as B to B rather than B to C services and the provision of the services relies on network and information systems. The consultation also includes in one of its annexes, a list of the potential organisations that the UK government would envisage that this would cover.

Now two points of note, the first that it is broad and the second is that it is a non-exhaustive list, so here on the slide I have got the headline categories, but if you are looking at the slides, you can also see that there is more detail within them, but in headline terms, the categories are managed network support services, security services, outsourcing, analytics and artificial intelligence, workplace services, business continuity and disaster recovery services, consulting and lastly software engineering service, such as where the managed service provider develops the source code, maintains the source code or stores the source code in its own repository. So broad and the government is also consulting at the moment whether actually there would be an additional threshold to be a managed service provider, so it is also under consideration, whether to be regulated, a provider would also have to have privileged access or connectivity to a customer's data IT infrastructure, IT networks and/or IT systems, or they would have to perform essential or sensitive functions, such as the processing and/or storage of confidential or business critical data.

There is an understanding in considering whether to introduce this additional threshold in that narrowing, so having this additional threshold may be helpful, but could that leave risks to supply chains where actually there is an organisation who are providing services or can have an impact on that supply chain if they would fall outside of this threshold, but on the other hand having too many organisations, so if we do not have a further threshold, that might mean that you have got organisations in scope who it will not be appropriate for them to be in scope for the organisation or business having to bear additional costs and also for the regulator, will incur additional costs if it has to regulate too many organisations, so there needs to be a purpose for them doing so.

So that is one to watch in terms of following the consultation where actually this definition and/or any additional thresholds might land, but for those businesses who are managed services providers in the future, well then the proposed requirements that they will have will mean that they have to register with the ICO as a competent authority. They will have to make sure they have in place adequate and proportionate security measures to ensure that their own network and information systems are secure. They will also be required to report relevant incidents to the competent authority, so if not already in place, then organisations may prepare or need to prepare their business to undertake rigorous independent audits and to ensure compliance with the security expectations of the ICO. In terms of what those expectations might be, at the moment, well there is no guidance at the moment and that is expected to be determined through guidance in the future, so it is something else to watch out for.

There is also as I mentioned earlier, those digital service providers who have the most privileged access providing the most critical services, will then have proactive supervision from the ICO as well. Those managed service providers will also have a cost impact in terms of getting to grips with the regulations, the initial administration costs, there may be the additional increases and cyber security of spending to make sure the security measures are met and if an incident does arise, then there will be cost consequences in terms of having to deal and report that incident and further as I also mentioned earlier, there is an expansion or proposed expansion of the cost recovery scheme, so the managed service providers would also have to pay their part towards the regulators' costs.

So that is what is proposed at the moment also under the consultation. Very much one to watch when we get the results of the consultation. If you are a customer of IT services, then this will be of interest to you because your providers and your supply chain may be the subject of increased regulation, which may have benefits for you and if you are on the other side of the fence, if you are a supplier, then of course you will be concerned to understand whether you are inside or outside this definition of managed service providers and whether you will have the additional regulatory requirements that I have just talked through.

Thank you very much.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.