March 30, 2022
Find answers to the top questions we're asked about the consultation on changes to the NIS Regulations 2018 and how they may affect Microsoft Partners.
1. What are the NIS Regulations 2018?
The Network and Information Systems Regulations 2018 (“NIS Regulations”) establish legal requirements to ensure overall levels of security (both cyber and physical) of network and information systems at two categories of organisation, these are:
- Providers of essential services (i.e. transport, water and energy companies)
- Digital Service Providers (“DSPs”) providing online marketplaces, online search engines or cloud computing services (which would include SaaS, PaaS and IaaS offerings).
The NIS Regulations, amongst other things, set out certain obligations for these types of providers. For example, it requires DSPs to register with the ICO and notify the ICO of certain types of incidents they suffer.
2. What’s changing?
The Government has launched an open consultation (the “Consultation”) which aims to update the UK’s cyber resilience legal framework, specifically through strengthening and amending the NIS Regulations. The proposed changes are just proposals at the moment but the Consultation is open until 10 April 2022 and the Government is welcoming responses and comments from stakeholders (see further information on this below).
3. What are the key changes that might impact Microsoft Partners?
The main change that may affect you is the Government’s proposal to expand the scope of digital services currently regulated under the NIS Regulations and therefore expand the number of DSPs regulated to include ‘managed services’. This means that providers of managed services will become DSPs and fall within the NIS Regulations -- if they’re not already by virtue of offering cloud computing services.
4. How does the Consultation define ‘managed service’ providers?
The Consultation suggests that a business would be seen to be classed as a provider of ‘managed services’ if they are an external supplier who:
- provides ongoing B2B service management of data, IT infrastructure, IT networks and/or IT systems
- relies on network and information systems in its delivery of the services.
This is a broad definition, and we suspect that most Microsoft Partners providing managed support services to their customers would fall within this definition.
Some have raised concerns that this definition seems very broad, in short, yes it is. However, in reaction to concerns raised about the breadth of managed service providers this would apply to, the Government are considering whether to introduce further risk-based characteristics to the definition of ‘managed service’.
Proposals include only targeting providers who have:
- privileged access or connectivity to a customer’s IT infrastructure,
OR - perform essential or sensitive functions for that customer. We would argue that this doesn’t narrow the scope that much though, particularly in relation to the work a lot of our Microsoft Partners perform.
5. Are there any exemptions?
The existing NIS Regulations has an exemption for small and micro businesses (if you have fewer than 50 staff and an annual turnover or balance sheet below €10 million). However, given that cyber risks can affect the UK economy whether caused by a small/micro business or a larger business, it seems that the Government are considering (through the Consultation) whether this exemption is proportionate to the risk.
Proposals include giving competent authorities the power to designate a small/micro business as falling within the NIS Regulations where they provide critical services (this is to be defined by the ICO).
6. What will this mean for my business?
On a practical level, if not already, you will need to register with the ICO (this entails a similar but separate process as for registration for data protection purposes).
For most registered DSPs, the ICO will only provide reactive supervision – giving advice and guidance that must be complied with but only taking regulatory action following a reported incident.
However, the proposals under the Consultation seek to introduce a dual supervisory regime – this will be:
- reactive (as is the case under the NIS Regulations today)
and - proactive. Proactive supervision would be limited to the most critical DSPs and would involve the ICO proactively monitoring and investigating whether DSPs are able to demonstrate that they have satisfied the requirements of the NIS Regulations.
7. How will I know what supervisory regime my business is subject to?
At the moment, this is unclear. The Consultation suggests that the ICO would be responsible for developing criteria with the intention that DSPs that present the ‘greatest systemic risk to the UK’s economic prosperity and national security’ be targeted.
These criteria could be based on the characteristics of the DSP (i.e. market concentration) or those of the customer (i.e. the level they are dependent on the DSP’s services).
Ultimately, the ICO is likely to retain the fall-back power to designate DSPs that fall outside of the agreed criteria. As a result, businesses should carefully review the threshold conditions put forward by the ICO to determine whether they fall within the scope of the NIS Regulations.
8. What does this mean for incident reporting?
DSPs currently have an obligation to notify the ICO of any incidents which have a substantial impact on the provision of any of its digital services (including cloud computing services). To date, there have been very few cyber incidents reported under the NIS Regulations as the threshold is high. The Consultation is proposing that the notification requirement is changed to catch any incident which ‘has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service’. If this proposal is successful, it will mean DSPs have to engage more regularly with the ICO in relation to cyber risks and incidents.
9. What is it going to cost me?
An expansion in regulation inevitably brings with it cost implications. The Consultation breaks the potential cost impact down into three categories:
- initial administration costs – initial familiarisation and professional costs to ensure systems and processes align to the new regulation
- additional cyber security spending – both one-off and ongoing spending in order to meet the new requirements
- on-going incident reporting costs.
10. How can I find out more and respond to the Consultation?
You can read more about the Consultation here.
The Consultation is open for responses until 23.45pm on 10 April 2022. Stakeholders are encouraged to respond using the Government’s online consultation system, which can be accessed here.