First established in 2018, the Network and Infrastructure Security Regulations (NIS) introduced measures to ensure the UK’s critical services, such as, but not limited to, the energy sector, were resilient to cyber attacks. The cyber security landscape, however, has changed considerably since, with recent events, such as high-profile supply chain hacks, prompting a rethink in how the government approaches the UK’s cyber security posture.
In comes NIS 2022. The standout change in this regulatory overhaul is undoubtedly the expansion of scope to cover managed service providers (MSPs) – third-party organisations that provide IT services to UK businesses. Crucially, however, they’re also organisations with privileged access to their customers’ systems. This level of access comes with a great deal of responsibility, which is why non-compliance will trigger a maximum fine of £17 million.
NIS 2022 will target MSPs, but it’s just one element of a wider plan that’ll usher in a wave of restrictions ensuring British companies operate more securely. Key figures in UK MSPs, who will be affected by the changes, tell IT Pro these changes are long overdue. The rules tackle issues that surfaced well before the high-profile cyber attacks of recent times, and impose much-needed oversight on a largely unregulated – yet critical – segment of the IT industry.
NIS 2018 vs NIS 2022: Expanding on success
The NIS regulations enshrined into law a 2016 EU directive, and oversees operators of essential services (OES) and relevant digital services providers (RDSP), such as cloud computing platforms. Businesses with fewer than 50 employees, or those with an annual turnover of less than €10 million (roughly £8.4 million), however, aren’t bound by its terms.
The government deemed its introduction a success, with a 2020 report highlighting the majority of OES firms (79%) introduced better security policies, while 61% reported improving disaster recovery processes. Less than half of RDSPs, meanwhile, introduced new security policies, likely because their postures already fell in line with requirements. The same was true for their disaster recovery plans.
Then, in December last year, the government set out its aims for the next five years with its Cyber Security Strategy (2022). The £2.6 billion roadmap sets out ambitions for the UK to become less reliant on foreign markets, alongside a commitment to collaborate with international law enforcement agencies to take down adversaries like REvil and Emotet.
There are five key ‘pillars’, including increased investment in talent and skills, greater collaboration between academia, the public sector, and the private sector, and securing the nation’s overall cyber security posture. The government also wants the UK to become more proactive in detecting and sharing information regarding cyber criminals, while taking action in cyber space to deter and disrupt malicious operations. This comes in addition to shaping the UK into becoming a leader in developing cyber security technologies.
Shifting the cost burden
The core proposals also include a provision allowing the government to “future-proof” the regulations by updating the requirements if necessary, in light of the ever-evolving cyber security landscape. It may also widen the scope of NIS 2022 to catch different types of organisations providing critical services. Among them might be internet security services providers, cyber security companies, cloud security services, and network services.
The companies that fall within its scope will also shoulder the regulatory costs, according to the government. Enforcing the rules is currently financed using a mix of industry and public funding, although changes will pass the burden of cost onto the industry, with regulators such as Ofcom, Ofgem, and the Information Commissioner's Office (ICO) able to charge companies for regulatory services. These funds will contribute towards the payment of staff salaries, office rents, and the costs of investigations and inspections. It’s a “welcome move”, managing director at Zoho/ManageEngine Europe, Sridhar Iyengar, tells IT Pro, as it’ll ensure more proactive action and responsibility on the part of organisations.
A nation of unregulated IT
MSPs play a huge role in the UK’s IT infrastructure, providing core services to businesses large and small across the nation, but they’re all largely unregulated at present. NIS 2022 aims to rectify that.
Experts in the security and MSP industries, speaking to IT Pro, unanimously welcome the proposal to expand NIS to MSPs. If its goal is to improve the nation’s cyber security posture, then regulating the businesses at the heart of recent supply chain attacks is surely an ideal place to start, according to Patrick Burgess, technical director at Nutbourne, a London-based MSP.
How digital strategy is building a better future for construction
Save time and money with digital solutions
“MSPs are currently unregulated but responsible for a large portion of the SMB sector’s IT infrastructure and security posture,” he says. “There’s no bar to entry in the sector and there are no checks or balances to confirm the quality service. We need to improve the advice being given and ensure all MSPs are meeting a minimum level of quality.”
Others agree, but highlight the “daunting” changes MSPs will have to face as they prepare to adjust their business so they become compliant. NIS 2022 is like “putting a £17m sword of Damocles over [MSPs’] heads”, adds Bruce Hockin, channel sales director at Picus Security, but it’ll ultimately lead to a more secure UK.
The UK is no stranger to supply chain attacks and fresh in the mind will be Kaseya’s hack in 2021 – one of the worst cyber attacks of the year – which affected businesses across the world, including many in the UK. The regulations are probably not a knee jerk reaction to such a high-profile case, though, the experts add. Years of supply chain attacks would have informed the decision to target MSPs.The infamous hack on database services company Blackbaud, which hit six UK universities with ransomware, is proof of that.
“Kaseya proved a point that those within the cyber security profession have been pointing out for a very long time,” says Sanjay Pandya, CISO at Nasstar. “However, yes, I believe that if Kaseya didn’t catalyse [the changes], it fast-tracked them.”
Increased burden, greater workload
One of the key reforms will see large companies having to submit "better" cyber security reports to regulators such as Ofgem, Ofcom, and the ICO. It includes a requirement to notify the relevant regulator of all serious cyber attacks they suffer, in addition to those impacting their services – the type of attacks currently reported under NIS 2018.
Under NIS 2022, a 'serious attack' is characterised by any incident that has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service, the consultation reads. This means MSPs, by reporting every significant attack on their business, may experience increased workload and bureaucracy.
Regardless, Scott Nicholson, co-CEO at Bridewell Consulting says it’ll be a positive measure. Different businesses may perceive the definition of what constitutes a substantial attack differently, so solidifying this definition would prevent some from skirting regulatory investigation. “Removing this ambiguity and streamlining reporting obligations will minimise the risk of some critical intelligence slipping through the net,” he says.
The more demanding nature of NIS 2022 is about intelligence gathering rather than placing an undue burden on MSPs, Burgess argues. He adds the regulations resemble those in the aviation industry, where businesses are required to report “near misses”. “Near miss information would provide vital early warning signs and allow the industry to get ahead of some problems but only if something constructive was done with the reported information.”
As for the prospect of a mounting workload for larger companies, it’s too early to tell whether it’ll prove overly onerous or offer immediate value. Defining what meets the threshold of a cyber attack also needs to be finalised before any proper assessments can be made, though. Burgess says reports must be detailed enough to provide information that informs the wider picture surrounding an incident, not merely be prepared to tick boxes.
