Government signposts changes UK cyber security regulations

Following the launch of its public consultation on UK national cyber security in January, and subsequent responses from industry, the UK Government has released its analysis of the responses and has voiced its intentions when it updates the ‘Network and Information Systems’ (NIS) regulations “as soon as parliamentary time allows”, it said. They “will apply to critical service providers, like energy companies and the NHS, as well as important digital services like providers of cloud computing and on-line search engines”.

Government cyber security regulations

Under the intended changes, according to the Department for Digital, Culture, Media & Sport:

  • MSPs (managed service providers, providing, for example, security monitoring and digital billing) will be brought into scope of the NIS regulations “to keep digital supply chains secure”.
  • Essential and digital services will be required to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of “a wider range of” incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
  • The Government will get power to amend the NIS regulations. “This change will allow more organisations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the UK’s economy.”
  • Regulators will be allowed to establish a cost recovery system for enforcing the NIS regulations in processes that are “more transparent and take into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden”.
  • The Information Commissioner will be able to take a “more risk-based approach” to regulating digital services and will be allowed to take into account “how critical providers are to supporting the resilience of the UK’s essential services”

The Government’s detailed analysis of public responses to its January call for consultation, and its broad intentions, are available on this web page. The intended regulations are not yet available.


The UK NIS Regulations originally entered service in 2018.



Leave a Reply

Your email address will not be published. Required fields are marked *

*