After a long gestation and several rounds of public consultation on cyber security issues (focusing on updating the Network and Information Systems Regulations 2018 (NIS Regulations) post-Brexit), the UK has now published its proposal for changes to the UK's cyber security landscape, to strengthen the UK's cyber security and resilience regime. This comes in a year when the National Cyber Security Centre has managed 204 significant or highly significant cyber incidents and two major UK retailers suffered major cyber attacks, severely disrupting their businesses. Current requirements for operators of essential services (across a range of industry sectors) and some digital services are being updated to bring a wider range of service providers in scope and to deepen IT security expectations, to bolster the UK's resilience to cyber threat actors.  

The Cyber Security and Resilience (Network and Information Systems) Bill amends existing legislation, specifically the NIS Regulations and grants the Secretary of State wide powers under a new statutory framework to issue regulations, codes of practice and national security directions, set strategic priorities and require periodic reports on the legislation.  Significantly, as trailed, the Bill extends the regulatory reach of the NIS Regulations to data centres, managed services, critical suppliers, and electricity “load controllers” and introduces enhanced incident reporting, customer notification, information-sharing, enforcement powers, and cost recovery by regulators.  Recognising the threat posed by smart devices, organisations that manage the flow of electricity to smart appliances like electric vehicle charge points and electrical heating appliances in homes are in scope of the new rules. This is intended to reduce the risk of disruption to consumers using smart-energy appliances, and the grid.   

Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge - Secretary of State, Liz Kendall

What additional businesses will now be in scope of the amended NIS Regulations? 

• Businesses offering data centre services are now designated as operators of essential services (OES), from a NIS perspective. These services are those consisting of the provision of a physical structure (data centre) which contains an area for the hosting, connection and operation of relevant IT equipment and which provides supporting infrastructure for the operation of relevant IT equipment.  The new rules will apply where the rated IT load of the data centre is: (i) equal to or greater than 1 megawatt, for services provided otherwise than on an enterprise basis; or (ii) equal to or greater than 10 megawatts where the service is provided on an enterprise basis.
• Businesses offering load control services are also now OES in the energy sector - where the potential electrical control in relation to the relevant energy smart appliances managed by the load controller is equal to or greater than 300 megawatts. Relevant energy smart appliances are electric vehicles, EV charging points, electrical heating appliances, battery energy storage systems and virtual power plants.
• Managed service providers - being those providers offering a managed service in the UK (even if the provider itself is not established in the UK). Managed services are those services which include the ongoing management of IT systems for a customer, and where service provision requires access to network and information systems relied on by the customer.  
• Designated critical suppliers - in a move which echoes the financial services sector's critical third party rules, regulators will now be able to designate critical suppliers who will be subject to the NIS regulations obligations, to bring important suppliers under the NIS rules umbrella.
• Businesses based outside the UK who are OES or managed service providers will be subject to the new rules if providing their services to UK businesses, and will be required to designate UK-based representatives to handle NIS compliance matters. 

The definition of cloud computing service has also been expanded to provide examples of such services (network, servers, software and storage) and to build out the definition to refer to services where there is broad remote access to the service (where it can be used from any authorised location or facility by means of any device or platform), the service is capable of being provided on demand and on a self-service basis and the pool of computing resources may be distributed across two or more locations. 

Changes to incident reporting

Businesses must report incidents which: (i) have affected or are affecting the operation or security of the network and information systems relied on to provide the essential service provided by the OES; and (ii) the impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant. What is significant is to be assessed against the extent of disruption which has or may occur, the number of users affected, the duration of the incident, the geographical area affected and whether the confidentiality of the data of users has been or is likely to be compromised. Incidents must be reported within 24 hours of the time the OES is aware (pursuant to an initial notification) and then a full notification provided within 72 hours.   

The way in-scope businesses are to report incidents also varies by category of business, with distinct regimes applying to data centre operators, who must report incidents which have: (i) a significant impact on the operation or security of the network and information systems used to provide the data centre service in the United Kingdom; (ii) a significant impact on the continuity of the data centre service provided in the United Kingdom, or (iii) any other impact, in the United Kingdom which is significant. Reports are to be made within the same timelines as for other OES. 

Businesses may also need to notify customers where they are reasonably likely to be adversely affected by the incident (considering the extent of any disruption, any impact on the customer's data or any impact on the customer's network and information systems). 

Notification obligations

In-scope data centre operators are required to submit certain information to the regulator (once designated or otherwise in scope of the rules) within 3 months (to include the person's name, proper address, names of directors (if body corporate), names of partners or persons with control/management (if partnership), and up-to-date contact details including email and telephone numbers), to ensure the operators of essential services list can be maintained.  Similarly, relevant digital service providers (RDSP) and elevant managed service providers (RMSP) must notify the ICO of their current corporate and contact information.   

Enforcement

Penalties for non-compliance with the new rules have been increased, with fines set at two levels, the standard maximum amount - the greater of £10,000,000 or 2% of undertaking turnover (for undertakings) and the higher maximum amount (which is the greater of £17,000,000 or 4% of undertaking turnover). 

Costs recovery

Regulators are empowered to impose charges on regulated entities and are given ad hoc cost-recovery powers.  

Timetable

Once the Bill is passed, the Secretary of State is to issue a statement of strategic priorities, which will govern how regulators are to approach the new powers in the Bill. The extension of the NIS rules to the new categories of business set out in the Bill are to be implemented via secondary legislation.     

This is an important piece of legislation that will strengthen the country's cyber resilience and ultimately better protect people's data - John Edwards, UK Information Commissioner

Next steps

• Determine if your business falls within the expanded scope of the NIS Regulations (and whether any thresholds or oversight carve-outs apply).
• Ensure all necessary registrations for RDSPs and RMSPs are in place with the ICO and up to date and, if based outside the UK, appoint a UK-based representative.
• Implement processes to meet the 24 hour / 72 hour incident reporting deadlines and ensure adequate capability to notify customers where adverse effects are likely.
• Review and enhance “appropriate and proportionate” measures with regard to state of the art; monitor forthcoming codes of practice and regulator guidance to ensure internal controls are aligned and consider extraterritorial aspects of information storage and processing.
• Review your supply chain and assess exposure to critical supplier designation, to ensure contractual and operational mechanisms to manage designation risks, information duties, and incident dependencies.
• Track the issue of the Secretary of State’s strategic priorities statement, future regulations and codes of practice and ensure board-level oversight of cyber security measures.