Under the intended changes, according to the Department for Digital, Culture, Media & Sport:
- MSPs (managed service providers, providing, for example, security monitoring and digital billing) will be brought into scope of the NIS regulations “to keep digital supply chains secure”.
- Essential and digital services will be required to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of “a wider range of” incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.
- The Government will get power to amend the NIS regulations. “This change will allow more organisations to be brought into scope if they become vital for essential services and add new sectors which may become critical to the UK’s economy.”
- Regulators will be allowed to establish a cost recovery system for enforcing the NIS regulations in processes that are “more transparent and take into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden”.
- The Information Commissioner will be able to take a “more risk-based approach” to regulating digital services and will be allowed to take into account “how critical providers are to supporting the resilience of the UK’s essential services”
The Government’s detailed analysis of public responses to its January call for consultation, and its broad intentions, are available on this web page. The intended regulations are not yet available.
The UK NIS Regulations originally entered service in 2018.