IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

UK updates NIS regulations bringing stricter rules for MSPs

Widely welcomed changes aim to boost security standards and reduce risk of disruptive attacks to key national services

The UK government has confirmed that the planned changes to the Network and Information Systems (NIS) regulations have officially come into effect, bringing stricter rules and requirements to managed service providers (MSPs).

The updates to the framework come as a response to a public consultation held earlier this year, which highlighted the need to adapt to new and increasingly-sophisticated cyber risks.

Related Resource

Data governance and privacy for data leaders

Create your ideal governance and privacy solution

Whitepaper library with title and logo and man cycling over a bridgeFree Download

The NIS regulations were first established back in 2018 in a bid to improve cyber security for organisations that provide critical services to the UK. Companies that fail to implement adequate cyber security measures can be fined up to £17 million for non-compliance. 

Since its introduction, however, cyber attacks have continued to evolve and adapt, an issue highlighted by the likes of Operation CloudHopper, a high-profile attack that targeted MSPs and compromised thousands of organisations through their access to customers’ IT networks. 

As a result of such incidents, MSPs have now been brought into the scope of the regulations, as well as the addition of several new restrictions to help maintain supply chain security.

“The services we rely on for healthcare, water, energy, and computing must not be brought to a standstill by criminals and hostile states,” said Julia Lopez, minister for media, data, and digital infrastructure. “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”

Speaking to IT Pro earlier this year, industry experts unanimously welcomed the government's intention to bring MSPs into the scope of the new NIS regulations.

MSPs play a significant role in the world's IT infrastructure and have privileged access to numerous private sector organisations' IT estates. Compromising an MSP or other privileged organisation can lead to cyber attacks in the supply chain, as evidenced by the infamous Kaseya case in 2021.

The legislation changes form part of the government’s £2.6 billion National Cyber Strategy, which it says aims to take a stronger approach to get at-risk businesses to improve their cyber resilience. 

Organisations will need to improve cyber incident reporting to regulating bodies such as Ofcom, Ofgem, and the ICO, and are required to notify their respective regulator of a wider range of incidents that disrupt their service - or ones that have the potential to do so.

“These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely,” commented Paul Maddinson, NCSC director of national resilience and strategy.

Additionally, the UK government will be able to amend and adapt the regulations in future should other sectors and services become essential to the UK’s economy. 

Regulators will also be able to set up a “more transparent” cost recovery system for enforcing the regulations, the government says, factoring in wider regulatory burdens, company size, and other factors to minimise the impact on taxpayers. 

Carla Baker, Palo Alto’s senior director of public policy UK and Ireland, said the cyber security firm backs the continued development of an “agile policy framework”.

“We welcome the opportunity to engage with the UK government as it reviews the legislation and develops guidance for industry to enhance cyber resilience and combat the risk that malicious actors pose to the UK’s national security,” she said.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

Dell snaps up cloud orchestration startup Cloudify
mergers and acquisitions

Dell snaps up cloud orchestration startup Cloudify

27 Jan 2023
What’s behind the wave of big tech layoffs in 2023?
Business strategy

What’s behind the wave of big tech layoffs in 2023?

26 Jan 2023
Mitel set to acquire Atos’ unified communications and collaboration business Unify
mergers and acquisitions

Mitel set to acquire Atos’ unified communications and collaboration business Unify

26 Jan 2023
Delinea appoints David Castignola as new CRO, sales leader
Security

Delinea appoints David Castignola as new CRO, sales leader

25 Jan 2023

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023