Significant reforms are on the way for the UK's implementation of NIS, many of which differ to the EU's recent NIS 2 reforms. This article and the expanded whitepaper explore the historical context to the NIS framework, explain the proposed UK reforms and compare the UK reforms to the EU's NIS 2.

Background

The EU introduced the NIS 1 Directive in 2016 to combat cyber threats to critical infrastructure. In January 2023, the EU adopted the NIS 2 Directive, expanding the scope of the original directive and giving member states until October 2024 to implement it. For more information on the NIS 2 Directive, please see our previous briefing note here.

In the UK, the NIS 1 Directive was incorporated into the Network and Information Systems Regulations 2018 (UK NIS Regulations). The UK government undertook a review of the UK NIS Regulations in 2022, which led to the reforms currently being proposed.

Proposed Changes to the UK NIS Regulations

Regulation of managed services providers (MSPs) : MSPs are increasingly susceptible to cyberattacks because they have access to the IT systems of multiple customers. The UK intends to expand the definition of relevant digital service providers (RDSPs) under the UK NIS Regulations to include MSPs that have certain characteristics and meet risk criteria.

Full details of these characteristics, risk criteria and the types of MSPs captured by the proposed UK NIS reforms can be found in the more detailed whitepaper attached.

Inclusion of small and micro RDSPs: While small and micro enterprises were initially excluded from RDSP obligations, the proposed reforms permit the Information Commissioner to subject critical small and micro RDSPs to the regulations if they are deemed systemically critical.

Two-tier supervisory regime: The UK government plans to introduce a two-tier supervisory regime for RDSPs, with the most critical entities being subject to new proactive supervision. The new supervisory regime and criteria for categorisation will be implemented via non-legislatively mechanisms.

Delegated powers to update regulation: To respond more effectively to evolving threats, the UK government will be granted the power to modify aspects of the UK NIS Regulations without parliamentary approval. This includes updates to sections related to the national framework, essential services, digital services, enforcement, and penalties. The UK government would also be able to change (and add to) the existing sectors and sub-sectors which are subject to the UK NIS Regulations.

Full details of these characteristics and the sectors that the UK government has indicated it may add in future can be found in the more detailed whitepaper.

Power to regulate critical sectoral dependencies: The UK government will be empowered to designate critical dependencies (suppliers on which essential services rely) based on consultations and risk assessments conducted by competent authorities. Critical dependencies would be subject to the same obligations as operators of essential services.

Additional incident reporting obligations: The reforms aim to broaden incident reporting requirements beyond those which affect continuity of service, with operators of essential services and RDSPs needing to report security incidents that significantly impact the security of network and information systems for essential services.

Full cost recovery for NIS functions: Competent authorities will gain the ability to recover their enforcement costs from regulated organisations, shifting the burden from taxpayers. Competent authorities will also have greater flexibility in how they recover costs from regulated organisations generally.

More details on how these cost recovery mechanisms are likely to work can be found in the more detailed whitepaper.

Comparison of UK and EU Reforms

The UK's proposed reforms expand the existing UK NIS Regulations but are less extensive than the EU's NIS 2 Directive. The UK government acknowledges this divergence, stating that its reforms are tailored to the UK economy. However, organisations operating under both regimes will face compliance challenges.

A table comparing the key differences between the current UK NIS Regulations, the proposed UK reforms and the EU's NIS 2 reforms can be found in the more detailed whitepaper.

Conclusion

Organisations operating in various sectors need to stay informed about the ongoing cybersecurity reforms taking place in the UK and the EU. MSPs in the UK should prepare for potential inclusion in the UK NIS regime, while organisations providing services in the EU should assess their obligations under the expanded NIS 2 Directive.

The UK government plans to release draft legislation setting out its proposed reforms once parliamentary time allows, likely in the near future. In the EU, the NIS 2 Directive was passed in January 2023 and needs to be transposed into national law by October 2024.

Will you be captured by the revised UK NIS Regulations? Equally, does your company provide services in the EU and fall within the expanded list of sectors and subsectors set out in the EU NIS 2 Directive?

See the more detailed whitepaper attached and get in touch with Nikhil Shah to start considering the requirements that will apply to you.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.