by Michael Power
At Trend Micro we’re on the front line in the fight against threat actors. We see every day the ingenuity and determination of these adversaries. That’s why governments must lead from the front by raising the bar of baseline security standards, especially for providers of critical services.
So we’re delighted to see new proposals for updating the UK’s Network and Information Systems (NIS) Regulations 2018 to something fit for the modern digital age.
Why NIS matters
The EU’s NIS directive snuck in under the radar in 2018 when everyone was talking about the GDPR. Transposed into UK law, it forces “operators of essential services” like those in the healthcare, transport, energy, banking and digital sectors to follow best practice security standards. The idea is not to protect data, as per the GDPR, but ensure that service uptime is never imperilled by attacks.
However, there have been grumblings in the past about unclear expectations and a lack of support from national authorities. What’s more, the threat landscape has accelerated significantly over the past four years. Sectors like healthcare are under even greater pressure from threats like ransomware today, while managed service providers represent an increasingly popular target, as evidenced by the Kaseya attack.
That’s why we welcome the government’s consultation to update the regulation, and to make it more adaptable in the future to the ever-evolving cyber landscape.
The headline proposed change to NIS 2018 is the inclusion of “managed services” in its coverage of the digital sector. This will help to make MSPs more resilient to attacks, as threat actors begin to single them out with greater frequency.
However, there’s more. The government also wants to:
- Apply a two-tier supervisory regime for all digital service providers: a new proactive supervision tier for the most critical providers, alongside the existing reactive supervision tier for everyone else
- Create new powers enabling it to update the regulations, in terms of framework and scope, with appropriate safeguards
- Create a new power to bring organisations which entities already in scope are critically dependent on, within the NIS remit
- Strengthen existing incident reporting duties, currently limited to incidents that impact services, to also include other significant incidents
- Extend provisions to allow sector-specific regulators (eg, Ofcom, Ofgem and the ICO) to recover all reasonable implementation costs from companies that they regulate
Take a look at the proposals and let us know what you think. More importantly, let the government know. The deadline for responses is 11:45pm on Sunday 10 April 2022.