UK government consults on changes to cyber resilience legislation

The UK government has recently launched a consultation on proposals to improve the cyber resilience of organisations and ensure the UK regulatory framework remains effective.

The implications of the proposals to be consulted on are potentially significant. They are relevant to all organisations which fall within the current scope of the Network and Information Systems Regulations 2018 (the Regulations) and other digital service providers which support “essential services”, such as utilities, or provide managed services.

The consultation follows the recent release of the National Cyber Strategy, which aims in part to boost cyber resilience and improve the management of cyber risk within organisations and makes it clear that the current approach is “not delivering the requisite change at sufficient pace and scale”. It reflects a growing anxiety across government to ensure greater levels of cyber resilience in private institutions; see also for instance the recent FCA “Dear CEO letter” to banks urging them to strengthen their cyber defences in the expectation of heightened cyber security risks linked to potential blow back from the ongoing Ukraine crisis.

The consultation proposes a series of measures which are divided into three “Pillars”, each aimed at addressing a different objective:

• Pillar I: proposals to bring additional critical providers of digital services into the UK’s cyber security regulatory framework
• Pillar II: proposals to future-proof the UK’s existing cyber security legislation
• Pillar III: considerations for the standardisation of the cyber security profession (these measures are the subject of a separate consultation which closes on 20 March 2022).

In summary, the consultation proposes to:

• Expand the scope of “digital services” to include “digital managed services”, which may include business process outsourcing services
• Apply a two-tier supervisory regime for digital service providers (with a new proactive supervision tier for critical providers alongside the existing reactive tier)
• Create new delegated powers to enable government to update the regulations
• Create a new power to bring organisations which those already within scope are critically dependent upon within the remit of the Regulations
• Strengthen existing incident reporting duties
• Extend the existing cost recovery provisions to allow regulators (eg the Information Commissioner’s Office (ICO)) to recover implementation costs from regulated companies.

Summary of key Pillar I proposals

The consultation recognises that digital managed services are critical to the function and resiliency of essential services in the UK, but the majority of them do not fall within the scope of the Regulations. There is concern that the potential for malicious actors to use these managed services to disrupt essential services at scale could present a considerable risk to national security, the economy and society.

Under the new proposals, managed services with all of the following characteristics would be added to the list of digital services within scope of the Regulations:

• They are supplied to a client by an external supplier
• They involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems
• They are categorised as business to business rather than business to consumer
• Their provision relies on network and information systems

The types of services which the consultation envisages would be caught range from business processing outsourcing services (like payroll and regulatory compliance), to backup and other business continuity and disaster recovery services, to data optimisation and management services. Additional risk-based characteristics, relating to whether a service has privileged access or connectivity to a customer’s data, or performs an essential function (eg storing critical data), would bring further businesses within scope of the Regulations.

A new, two-tier supervisory regime for digital service providers is also proposed, involving a proactive supervisory regime for “critical providers” and a reactive regime for other in-scope digital services. Critical providers would be identified on the basis of factors such as market reach, market concentration, and criticality of clients supplied. Critical providers would need to demonstrate to the ICO that they are fulfilling their duties under the Regulations, whereas non-critical providers would have the same obligations but under “lighter touch” supervision.

Summary of key Pillar II proposals

The Regulations may currently only be changed via primary legislation. The government is proposing that ministers should be able to change the Regulations via secondary legislation, without changing the scope of the Regulations.

The government also proposes a new delegated power to allow it to change the scope of the Regulations to enable responses to the shifting importance of different sectors to essential services and emerging technologies. There would be additional safeguards to limit the extent of the delegated power, to ensure that the use of the power is informed by evidence which considers the necessity of expanding the scope of the Regulation and the impact on organisations brought within scope.

The consultant also recommends:

• a new power to designate entities as “critical dependencies” and therefore within scope of the Regulations where they are critical to the performance of essential and digital services;
• expanded incident reporting requirements to include event which pose a significant risk to the resilience and security of organisations and the essential services they provide, even in the absence of any direct impact on service continuity, with sector-specific reporting thresholds to be set later; and
• that reasonable costs incurred by regulatory authorities under the Regulations are transferred in full to the organisations in scope, allowing those authorities to raise fees and recover costs for relevant activities.

How to respond

The consultation is open until 10 April 2022. Responses can be submitted online.

If you found this interesting, there’s a lot more commentary you may find helpful on UpData, which provides regular updates on contentious, criminal and insurance risks relating to data, from cyber-attacks to regulatory enforcement.