Expanding UK and EU requirements to cyber-secure services and products in the supply chain

Why the need for change to the NIS Regulations?

The proposed reforms were prompted, in part, by a number of high-profile cyberattacks in recent years where threat actors exploited vulnerabilities in supply chains to immense disruptive effect. A single attack on a supplier would have a wide impact, given the large amount of customers who make use of that supplier’s services.

The devastating ripple effect of a supply chain attack is of increased concern, given the trend for businesses to rely on IT suppliers to provide essential digital services/support. Most commonly, this involves the outsourcing of IT or key business processes (and their underlying maintenance/support) to a managed service provider (MSP) with privileged access to internal systems – that is why they are a particular focus in the UK’s proposed update.

The story so far

The NIS Regulations came into force in 2018 to improve the cyber security of companies providing critical services, and implemented the EU’s Network and Information Systems Directive (NIS1).

By way of a recap, NIS1 applies to two types of service providers:

1. operators of essential services (OES) which are broadly service providers in the water, energy, transport, health and digital infrastructure sectors; and

2. relevant digital service providers (DSP) comprising online search engines, online marketplaces and cloud service providers.

In-scope entities are required to put in place appropriate and proportionate security measures and are subject to incident reporting requirements. They can be fined up to £17 million for non-compliance.

In January 2022 the government launched a consultation on its proposals for legislation to improve the UK’s cyber resilience as part of its £2.6 billion National Cyber Strategy to protect and promote the UK online. As the main legislative vehicle for promoting the security of networks underpinning the UK’s essential and digital services, this included amendments to the NIS Regulations to address the evolving cybersecurity threats faced by the UK.

The consultation was concluded in April 2022 and the government’s response was published in November 2022. The changes are currently expected to be implemented and brought into force some time in 2024.

What’s new?

The government’s seven proposals which were consulted on were split across two pillars.

Pillar I contained proposals to amend provisions relating to DSPs by:

1. Expanding the regulation of DSPs to bring MSPs in scope (more on this below), making them subject to the same duties as other DSPs.

2. Establishing a two-tier supervisory regime for DSPs. This risk-based regime would consist of a pro-active supervision tier for a limited group of the most critical providers, which would be expected to co-operate and work with the Information Commissioner’s Office (ICO). The pro-active tier would sit alongside the existing reactive supervision tier (e.g. where the ICO intervenes post-incident) which would apply to the vast majority of registered DSPs.

Pillar II contained proposals to future-proof the NIS Regulations by:

3. Providing ministers with delegated powers to update the NIS Regulations through secondary legislation.

4. Providing ministers with delegated powers to expand the scope of the NIS Regulations to add/change new sectors and sub-sectors.

5. Providing ministers with delegated powers to designate critical suppliers or services that in-scope entities are critically dependent on to bring them within the remit of the NIS Regulations.

6. Expanding current incident reporting duties to include incidents that do not disrupt service continuity but which nonetheless pose a significant risk.

7. Allowing competent authorities to expand costs recovery so that the burden is not on the taxpayer.

Am I likely to be caught by the updates to the NIS Regulations?

Most digital managed services such as security monitoring, managed network services or business process outsourcing such as digital billing are not currently regulated under the NIS Regulations, despite being staging points through which attackers can compromise clients of those MSPs. MSP clients cross all sectors of the UK economy and critical national infrastructure, which gives attackers the ability to disrupt essential services at scale.

The government therefore intends to incorporate managed services into the NIS Regulations by adding them to the list of digital services that are currently regulated. Doing so should help ensure that a baseline of appropriate and proportionate security measures are put in place by such service providers.

Following the consultation, it is anticipated that MSPs meeting all of the following characteristics will be in-scope:

• the managed service is provided by one business to another business (i.e. B2B); and
• it is related to the provision of IT services, such as systems, infrastructure, networks and/or security; and
• it relies on the use of network and information systems, including the network and information systems of the provider, their customers and/or third parties; and
• it provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network and/or the security thereof.

The Information Commissioner will be tasked with setting out further guidance on the characteristics of MSPs.

The illustrative list of examples of MSPs which the government intends to capture is as follows:

• IT outsourcing services (ITO).
• Private wide area network (WAN) managed services.
• Private local area network (LAN) managed services.
• Service integration and management (SIAM).
• Application modernisation.
• Application management.
• Managed security operations centre (SOC).
• Security monitoring (SIEM).
• Incident response.
• Threat and vulnerability management (TVM).

The government has said that it is not currently proposing to bring data centres within the remit of the updated NIS Regulations, but this situation will be kept under review. That said, some data centres may already be in-scope if, for example, they are used by cloud service providers, or form part of the network and information systems that support the provision of a managed service.

What else should I keep an eye out for in the UK and EU?

In parallel with these updates to the NIS Regulations, at an EU level the NIS2 Directive is being implemented by Member States and is due to come into effect on 17 October 2024. Click here for our article on NIS2 and how it will expand cybersecurity obligations and reporting requirements for many more businesses. The UK government appears to be adopting a broadly similar, yet slightly different, approach to NIS reform than the EU. For example, whilst data centres are not expected to be in-scope of the UK’s updated NIS Regulations, they are for NIS2. This will mean that UK and EU businesses operating in both markets will have to keep a close eye both on the UK and each EU Member States’ evolving and potentially divergent approaches to NIS regulation to ensure compliance with both regimes.

The EU’s Cyber Resilience Act (CRA), which will facilitate the compliance of digital infrastructure providers with the supply chain requirements of NIS2, is also progressing on its legislative journey: a common position having now been reached by Member States, the trilogues will begin shortly. This draft regulation will introduce mandatory cybersecurity requirements on various actors in the supply chain to ensure that hardware and software products (a.k.a. “products with digital elements”) are produced and placed on the EU market with fewer vulnerabilities, and that they remain secure throughout their lifecycle. The CRA's transparency measures should also enable users to take cybersecurity into account when selecting and using such products.

As well as strengthening the NIS Regulations, other UK cybersecurity reforms on the cards include introducing a so-called “cyber duty to protect”. This duty would place greater responsibilities on organisations who manage online personal accounts to protect those accounts and data. It is especially important given the widespread reuse of passwords by individuals – a vulnerability that is widely exploited by attackers, for example in credential stuffing attacks (read more about this attack vector and how it affects the retail sector here). The government has not yet responded to its consultation on this proposal.

The UK’s Product Security and Telecommunications Infrastructure Act 2022 (PSTIA), which has similar aims to the CRA, will introduce a number of minimum security requirements in relation to consumer connectable products, including transparency on minimum periods for security support and vulnerability reporting, as well as banning default or easily guessable passwords. Businesses involved in supply chains of such products will need to be compliant from 29 April 2024 when the regime will enter into effect (and UK businesses selling cross-border into the EU will also need to consider the CRA). Read more about the requirements here.

The reforms to the NIS regulations and PSTIA come in the context of the government’s National Cyber Strategy which is clear that services offered by managed service providers and platforms should not be over-reliant on their customers taking protective actions – they should be secure by default with security embedded into organisation’s operations. Watch this space for progress updates.