UK updates NIS regulations bringing stricter rules for MSPs

The UK government has confirmed that the planned changes to the Network and Information Systems (NIS) regulations have officially come into effect, bringing stricter rules and requirements to managed service providers (MSPs).

The updates to the framework come as a response to a public consultation held earlier this year, which highlighted the need to adapt to new and increasingly-sophisticated cyber risks.

The NIS regulations were first established back in 2018 in a bid to improve cyber security for organisations that provide critical services to the UK. Companies that fail to implement adequate cyber security measures can be fined up to £17 million for non-compliance.

Since its introduction, however, cyber attacks have continued to evolve and adapt, an issue highlighted by the likes of Operation CloudHopper, a high-profile attack that targeted MSPs and compromised thousands of organisations through their access to customers’ IT networks.

As a result of such incidents, MSPs have now been brought into the scope of the regulations, as well as the addition of several new restrictions to help maintain supply chain security.

“The services we rely on for healthcare, water, energy, and computing must not be brought to a standstill by criminals and hostile states,” said Julia Lopez, minister for media, data, and digital infrastructure. “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”

Speaking to IT Pro earlier this year, industry experts unanimously welcomed the government's intention to bring MSPs into the scope of the new NIS regulations.

MSPs play a significant role in the world's IT infrastructure and have privileged access to numerous private sector organisations' IT estates. Compromising an MSP or other privileged organisation can lead to cyber attacks in the supply chain, as evidenced by the infamous Kaseya case in 2021.

The legislation changes form part of the government’s £2.6 billion National Cyber Strategy, which it says aims to take a stronger approach to get at-risk businesses to improve their cyber resilience.

Organisations will need to improve cyber incident reporting to regulating bodies such as Ofcom, Ofgem, and the ICO, and are required to notify their respective regulator of a wider range of incidents that disrupt their service - or ones that have the potential to do so.

“These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely,” commented Paul Maddinson, NCSC director of national resilience and strategy.

Additionally, the UK government will be able to amend and adapt the regulations in future should other sectors and services become essential to the UK’s economy.

Regulators will also be able to set up a “more transparent” cost recovery system for enforcing the regulations, the government says, factoring in wider regulatory burdens, company size, and other factors to minimise the impact on taxpayers.

Carla Baker, Palo Alto’s senior director of public policy UK and Ireland, said the cyber security firm backs the continued development of an “agile policy framework”.

“We welcome the opportunity to engage with the UK government as it reviews the legislation and develops guidance for industry to enhance cyber resilience and combat the risk that malicious actors pose to the UK’s national security,” she said.