Co-authored by Kahroba Kajouri, Trainee Solicitor
In line with the government's commitments in its 2022 National Cyber Strategy, the Department for Digital, Culture, Media & Sport (DCMS) launched a consultation on 19 January 2022 outlining its proposals for new measures to strengthen the cyber security of businesses in the UK.
The UK government acknowledges that a new legal framework needs to be introduced in order to increase data security standards across many UK industries. In particular, the UK government identifies the increasing reliance on centralised, outsourced IT services as being notably problematic, citing that it creates a single point of failure which can be exploited by cybercriminals and hostile states to affect a large number of businesses using a single coordinated attack.
The proposals come following several high-profile cyber security incidents in the UK and elsewhere over the last few years and in the context of a growing number of so-called 'ransomware' attacks. The UK government's intention is clear – to make cyber security front of mind for all UK businesses, stating that it no longer is 'an optional extra'.
The proposals focus on two areas in particular:
1. New legislation to improve the UK's cyber resilience
The Network and Information Systems Regulations (NIS) came into force in 2018 and introduced a stringent enforcement regime to improve the cyber security of critical national infrastructure, such as utilities, transport and healthcare.
The government acknowledges that increased reliance on centralised IT services can result in seemingly small players in a supply chain introducing disproportionately high levels of cyber security risk to a large number of businesses. As a result, the government now wishes to expand the scope of application of the NIS to also apply to what it refers to as 'managed service providers'; in other words, businesses offering outsourced security and IT services. The government has set out a four-limb test to determine whether a service provider would qualify as a 'managed service provider' for the purpose of the revised scope of the NIS: (i) the provider supplies services to external clients; (ii) the services involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems; (iii) the services are B2B (as opposed to B2C) services; and (iv) the provision of the services relies on access to network and information systems.
The proposals would also introduce a number of other changes to the NIS, including: (i) clearer reporting obligations; (ii) a two-tier supervisory regime, including more onerous obligations for critical digital service providers to continuously demonstrate compliance to the Information Commissioner's Office (ICO); (iii) expanded enforcement powers for the ICO; and (iv) a new levy on regulated entities to fund enforcement activities.
The UK government is also proposing to create new delegated powers to allow it to update the framework and scope of the NIS, to a limited extent, without the need for additional legislation.
2. Boosting the cyber security profession
The government notes that, although still fairly nascent, the UK has a booming cyber security sector with hundreds of start-ups operating in that space which have collectively raised a significant amount of funding.
However, the government acknowledges that cyber security is an opaque topic that is hard to navigate, particularly for prospective employers, and is therefore proposing to give the UK Cyber Security Council (an independent public body created in 2021) the ability to more clearly define cyber security jobs and qualifications and introduce new competency standards and certifications.
The hope is that this will make it easier for prospective employers to identify candidates with the most relevant experience in cyber security and will also lower barriers to entry and progression by establishing a clearer career path in the cyber security space. The government is also proposing to introduce a register of cyber security practitioners, similar to other regulated professions, such as the legal and medical sectors.
These proposals were introduced in the wider context of the UK government's 2022 National Cyber Strategy, which was published in December 2021 with the stated objective of building a resilient 'digital-first' economy and strengthening the UK's information ecosystems.
The consultation on boosting the cyber security profession is open until 20 March 2022, while the consultation on revisions to the NIS closes on 10 April 2022. Details on how to submit a response to the consultation can be found here.
Originally published 21 February 2022
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2021. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.