Government response to the call for views on proposals to improve the UK’s cyber resilience
Updated 30 November 2022
1. Contact details
This document sets out the government’s response to the public consultation, proposals to improve the UK’s cyber resilience.
Comments on the government’s response can be sent to:
Network and Information Systems Team
Department for Digital, Culture, Media & Sport
4th Floor - 4/48
100 Parliament Street
London
SW1A 2BQ
Email: [email protected].
Alternative format versions of this publication can be requested from the above address.
Complaints or comments
If you have any complaints or comments about the consultation process you should contact the NIS Directive Team at the above address.
Freedom of information
Information provided in the course of this consultation, including personal information, may be published or disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA) and the Data Protection Act 2018 (DPA).
The Department for Digital, Culture, Media and Sport will process your personal data in accordance with the DPA and, in the majority of circumstances, this will mean that your personal data will not be disclosed to third parties. This consultation follows the UK government’s consultation principles.
2. Executive summary
2.1 Overview
The security of network and information systems that support the UK’s essential and digital services remains a priority for the government. The economic and physical welfare of the UK’s economy and society is dependent on these services and the network and information systems that support them.
In January 2022, the government launched a public consultation on proposals for legislation to improve the UK’s cyber resilience. The proposals included seven policy measures, split across two pillars, which aim to address the evolving cyber security threats the UK faces via amendments to the Network and Information Systems (NIS) Regulations 2018, the main legislative vehicle for promoting the security of networks underpinning the UK’s essential and digital services.
The overall response to these proposals has been positive. Almost all of them have received high levels of support along with constructive and helpful feedback which the government has taken into account.
The proposals were split into two pillars: the first contains proposals to amend provisions relating to digital service providers, and the second proposals to future-proof the UK NIS Regulations. The seven proposals are split across the two pillars as follows:
Pillar I: Proposals to amend provisions relating to digital service providers
1.Expanding the regulation of digital service providers;
2.The supervisory regime for digital service providers.
Pillar II: Proposals to future-proof the UK NIS Regulations
3.Delegated power to update the NIS Regulations in the future within its current framework;
4.Delegated power to amend the scope of the NIS regulations to add sectors and subsectors;
5.Measure to regulate critical sectoral dependencies in NIS;
6.Additional incident reporting duties beyond continuity of service; and
7.Full cost recovery for NIS functions.
2.2 Consultation outcomes
The response to the consultation on these proposals offers an overview of the responses and key findings, and provides the government response and next steps for policy development. There have been 304 survey responses received, of which 177 were blank responses, and 37 additional responses were received via email, with no responses by post. Respondents tended to be organisations rather than individuals.
Overall feedback from respondents was positive, with six of the seven proposed measures receiving greater positive than negative support for their implementation. The one exception was the full cost-recovery for NIS functions, where there were more negative responses than positive towards the measure.
Pillar 1 feedback
The proposals regarding digital service providers received overwhelmingly positive feedback (84% approval for the measure on expanding the regulation of digital service providers, and 79% approval for the measure on amending the supervisory regime for digital service providers). Areas for improvement were also noted.
For the first measure, constructive feedback indicated that the government should narrow down the characteristics further, and be clearer on the types of organisations that are expected to be captured. The government has considered this and revised the characteristics and examples, and clarified further the position on small and micro enterprises.
The second measure, while enjoying a very positive reception, also had some constructive feedback. Primarily, this indicated that some of the factors to be taken into account when considering whether an organisation should be subject to proactive, rather than reactive, monitoring required revision (namely: scale, financial, market reach, and market concentration). The response indicates the government’s proposals for next steps; namely, that it will continue with the measure, primarily through non-legislative means if possible; further guidance from the Information Commissioner to digital service providers is planned.
Pillar 2 feedback
The proposals to future-proof the Network and Information Systems Regulations, received positive feedback and support for its first four measures, and slightly negative feedback for the cost recovery proposal (46% approval rate). Again, respondents made suggestions on how these measures could be improved.
The third measure, relating to introducing delegated powers to make updating amendments in the future, received a 88% approval rate from respondents. Constructive feedback indicated that the safeguards and limitations should be more explicit; which the government will consider.
With measure four, 81% of respondents agreed with the government’s proposal to introduce delegated powers to amend the scope of the regulations (by changing the sectors and sub-sectors) in the future. Where there was disagreement, feedback indicated a need for substantial safeguards and sufficient parliamentary scrutiny; the government’s proposal did include such safeguards, and the department will consider additional measures and assess their efficacy as the proposal is taken forward.
90% of respondents supported the fifth measure, a proposal to introduce a new power to designate critical dependencies and regulate those entities that are vital to the provision of essential services. Suggestions for improvement from stakeholders were mostly around the need to have clear guidance on how the power will be used and what factors will be significant in assessing the need for the power to be used, the necessity of stakeholder consultations when using the power, that regulators have the right capability to monitor these organisations, and ensuring that it will not introduce unnecessary, disproportionate, or inappropriate burdens to organisations. The government agrees with this feedback and will reflect it in the proposal.
A strong majority (68%) agreed with measure six, the government’s proposals to amend the incident reporting framework under the NIS Regulations, and as such the government will continue pursuing this measure. Notable feedback on this measure was the necessity for further guidance regarding the types of incidents and the process through which they will be reported. The government agrees with this feedback and will consider how best it can be incorporated into the existing guidance from competent authorities.
Finally, in regards to the seventh and final measure to expand cost recovery provisions to allow competent authorities to recover the full cost of regulation, the government’s proposal received a mixed reception. With only a 46% approval rate, the measure received a significant amount of constructive feedback, which the government is carefully considering. Concerns primarily related to the burdens that the new proposal would bring, in addition to the danger of creating perverse incentives for regulators to enforce more regularly. Reassurance and clarifications on these issues have been provided where possible and, moving forward, additional guidance will be developed to clarify the impacts of the cost recovery mechanisms
2.3 Conclusions
The outcome of the consultation has been overwhelmingly positive, with significant support for the majority of the measures. The government will proceed with these proposals and amend the NIS Regulations accordingly. This will be subject to finding a suitable legislative vehicle.
It is equally important to note that the support was accompanied by a large number of suggestions for improvements; these are vital to the policy development process, and the government will make every effort to implement and reflect them into the policy where appropriate. Comments have been considered, and the consultation response aims to indicate where policy has changed in light of the feedback. Finally, where feedback was not entirely supportive (cost recovery), the government will provide further clarity and reassurance, and will continue to explore alternative options.
Since the initial implementation of the NIS Regulations in 2018, the UK has opted for an approach that aims to minimise regulatory burdens on industry. The government will continue to work closely with relevant authorities in sectors not in scope of the NIS Regulations 2018. This includes the Financial Conduct Authority and Bank of England, and their proposals relating to critical third parties in the finance sector. For more information, see the FCA discussion paper.
3. Methodology
On January 19 2022, the Call for Views on proposals for legislation to improve the UK’s cyber resilience was published on gov.uk for 11 weeks and four days. Feedback was open to the public and included responses from individuals, organisations under scope of the NIS Regulations, as well as other private and public entities. The consultation closed on 10 April 2022.
The consultation asked respondents 64 questions, including both closed and open questions. For some questions, respondents were offered the opportunity to expand on answers and provide more detail with qualitative open text boxes. For open response questions, every response was reviewed, and while not every point that was made by each respondent can be reflected, responses were coded to identify common themes.
Individuals and organisations were invited to participate via an online survey, email, or post. Respondents did not have to complete every or any question and respondents could opt for what measures they answered. Some respondents answered multiple measures, whereas others only answered one. For inclusion in the consultation analysis, participants had to have opted to answer the measure and also completed at least one of the questions in the section. Responses were excluded from the consultation analysis if they did not meet this criteria or if the response did not directly answer the question (e.g. if it was off topic). In total, the consultation received 304 responses of which 177 were blank responses. These blank responses were removed from the analysis and not incorporated into the base numbers presented throughout the analysis. In addition to the online survey responses, 37 responses were received by email and there were no responses that were received by post. The number of responses by each measure can be found below in Table 1.
Table 1: Number of responses by measure
Measure | Number of responses |
---|---|
Expanding the definition of digital service providers | 135 |
The supervisory regime for digital service providers | 79 |
Delegated power to update the NIS Regulations in the future | 75 |
Delegated power to amend the scope of the NIS Regulations | 66 |
Measure to regulate critical sectoral dependencies in NIS | 69 |
Additional incident reporting duties beyond continuity of service | 78 |
Full cost recovery for NIS functions | 61 |
All questions and the accompanying percentages are reported based on the number of respondents that answered that individual question. This is detailed in the description of each question through each section of this government response. Where results do not sum to 100% this may be due to the rounding of percentages or respondents selecting multiple responses.
As the measures proposed in the call for views mainly impact organisations, the majority of responses were from organisations. Where there are notable differences in responses given by organisations and individuals, this will be indicated in the results. The details of the respondent type by measure can be found below in Table 2.
Table 2: Respondent type by measure
Measure | Individual | Organisation | No response |
---|---|---|---|
Expanding the definition of digital service providers | 25 (19%) | 72 (53%) | 38 (28%) |
The supervisory regime for digital service providers | 18 (23%) | 55 (70%) | 6 (8%) |
Delegated power to update the NIS Regulations in the future | 23 (31%) | 48 (64%) | <5 |
Delegated power to amend the scope of the NIS Regulations | 21 (32%) | 43 (65%) | <5 |
Measure to regulate critical sectoral dependencies in NIS | 24 (35%) | 44 (64%) | <5 |
Additional incident reporting duties beyond continuity of service | 21 (27%) | 53 (68%) | <5 |
Full cost recovery for NIS functions | 16 (26%) | 43 (70%) | <5 |
This government response provides an overview of the findings collated through the analysis of the responses to amending the NIS Regulations.
4. Pillar I: Proposals to amend provisions relating to digital service providers
4.1. Expanding the regulation of digital service providers
Proposal summary
Expansion of the digital services regulated under the NIS Regulations to include “managed services” and for the providers of digital managed services to be subject to the same duties as the other digital service providers regulated under the NIS Regulations.
Analysis summary
The majority (86%) of respondents agreed that managed services should be brought into scope of the NIS Regulations.[footnote 1] Most (84%) organisations that would be regulated as managed service providers under this proposal agreed that managed service providers should be brought into the scope of the NIS Regulations.[footnote 2]
In the consultation, respondents were asked to review examples of managed services which could be considered to be within the scope of the measure. Nearly two-thirds (64%) of respondents agreed with the examples of managed services provided in the consultation that would be within or out of scope of the NIS Regulations.[footnote 3][footnote 4] The majority (84%) of organisations that would meet the criteria outlined in measure one agreed that managed service providers should be brought into the scope of the NIS regulations.[footnote 5]
Where respondents disagreed both with the proposal to include managed services in the NIS Regulations (12 respondents) and the examples provided in the consultation, we asked respondents to elaborate further on their answers. In this, the most common themes for not agreeing with the proposals and examples set out in the consultation related to assertions that:
- businesses already have the sufficient security frameworks in place, so further government intervention is not required; and
- the NIS Regulations are not the right tools for these organisations. Here, concerns were raised that the NIS Regulations are not prescriptive enough and “leave room for risk-based interpretation.” Respondents cited that requiring these organisations to have Cyber Essentials Plus or a type of code of conduct would be more appropriate.
As shown in Table 3, the majority of respondents agreed that a range of managed services brought into scope of NIS Regulations should be defined by the characteristics indicated in the consultation.
Table 3: Do you agree that the range of managed services brought into scope of NIS legislation should be defined by the following characteristics?
Response | Characteristic 1 - They are supplied to a client by an external supplier[footnote 6] | Characteristic 2 - They involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems[footnote 7] | Characteristic 3 - They are categorised as business to business (B2B) rather than business to consumers (B2C) services[footnote 8] | Characteristic 4 - Their provision relies on the provider’s own network and information system[footnote 9] |
---|---|---|---|---|
Yes | 78% | 77% | 73% | 66% |
No | 22% | 23% | 27% | 34% |
In the consultation, we allowed respondents to elaborate further on any of the characteristics. Where respondents elaborated further, 50% of these responses highlighted characteristic 4 as an issue, as some of the services provided by managed service providers may rely on external suppliers.[footnote 10] For instance, one respondent stated “ownership of the network or information system raises a host of practical issues, where, for instance, hardware might be owned by one party, while software components are provided and maintained by another.” Similarly, another respondent said that “a managed service provider could use a white-labelled service from another company” or be “critically dependent on another provider such as cloud hosting.”
In relation to characteristic 3, respondents highlighted the need to include some business to customer (B2C) services as well as business to business (B2B) services. Finally, for characteristics 1 and 2, respondents mentioned that these characteristics were too narrowly defined.
In the consultation, respondents were presented with two options relating to narrowing the definition of managed service providers. These were:
- Option A: Having privileged access or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems; and
- Option B: Perform essential or sensitive functions.
Respondents were asked how effective they believed each of the government’s proposed options for narrowing the definition of managed service providers will be. As shown in Figure 1, 89% of respondents found Option A to be ‘very’ or ‘somewhat effective’ with 87% of respondents finding option B ‘very’ or ‘somewhat effective’. For both options, the majority of respondents selected that they thought these options would be ‘somewhat effective.’
Figure 1: How effective do you believe each of the government’s proposed options for narrowing the definition of managed service providers will be?[footnote 11]
Response | Option A | Option B |
---|---|---|
Very effective | 36% | 30% |
Somewhat effective | 54% | 57% |
Not all effective | 7% | 9% |
Don’t know | 4% | 4% |
Respondents were asked to explain in more detail why they believed each of the proposed options to be either effective or ineffective. Where respondents elaborated further, 30% of these responses thought that the proposed options were correct in principle and support the objective, but needed some additional adjustments or clarifications.[footnote 12] For instance, one response highlighted “the definition is correct but as a practical matter, it will be difficult for the managed service provider to disentangle those parts of their business providing support to NIS-regulated essential services and those providing support to non-regulated businesses.” Similarly, another respondent who thought both options were ‘somewhat effective’ said “I feel the two criteria are well thought, but they still need interpretation to make them more clearly defined. Note that not all customer’s data, IT infrastructure, IT networks, and IT systems have the same level of criticality.”
Finally, respondents were asked if they thought the exemption for small and micro-businesses in the digital service provisions should be modified to enable a small number of critical providers to be brought under the scope of NIS Regulations. The majority of respondents (70%) indicated that they thought the exemption should be modified to enable a small number of critical providers to be brought under scope of the NIS Regulations.[footnote 13] Within this, 100% and 75% of micro[footnote 14] and small[footnote 15] businesses, respectively, agreed with the exemption being modified to enable a small number of critical providers to be included in the NIS Regulations.[footnote 16]
Government policy response
Overall, the consultation responses demonstrated strong support for the proposal to bring managed services into the scope of the NIS Regulations and the government intends to pursue this measure as soon as parliamentary time allows.
Feedback indicated broad support for the overall scope of the proposals, including the proposed core characteristics of a managed service set out in the consultation. As such, the government intends to capture broadly the same suggested core characteristics for the proposed regulation of managed services in scope of this proposal.
However, feedback from the consultation, as well as industry feedback voiced via additional engagement, highlighted areas where the wording of the characteristics could be considered unclear. The government has applied a few minor amendments to the characteristics as a result (see section i below). Further information on these characteristics, and rationale for any changes, is set out in Annex 1.
i. Updated characteristics of managed service
- The managed service is provided by one business to another business (i.e. a third party); and
- The service is related to the provision of IT services, such as systems, infrastructure, networks and/or security; and,
- The service relies on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties; and
- The service provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or the security thereof.
The list of example services in scope of this measure has also been amended to reflect these changes (see section ii below). The overall scope remains broadly the same with some small clarifications. This reflects the overall support for the proposed scope of this measure in responses to the consultation.
It is important to note that these characteristics and the associated list of examples are intended to demonstrate the type of services the government is seeking to bring into the scope of the NIS Regulations. They are intentionally broad, as well as technology-agnostic, in order to future proof the legislation against terminology changes that may happen in the future.
When these proposals come into effect, the Information Commissioner will set out further detailed guidance on the characteristics of managed service providers, as they have with other digital service providers in scope of the NIS Regulations.
ii. Managed service - further detail on scope
This box sets out examples of “managed IT services’’ which the government intends to capture through this measure. This list is meant for illustrative purposes only.
- IT outsourcing services (ITO);
- Private wide area network (WAN) managed services;
- Private local area network (LAN) managed services;
- Service integration and management (SIAM);
- Application modernisation;
- Application management;
- Managed security operations centre (SOC);
- Security monitoring (SIEM);
- Incident response;
- Threat and vulnerability management (TVM).
At present, the government is not proposing to specifically regulate data centres under this measure. However, the government is undertaking a comprehensive review of the security and resilience of data centres, and will determine the appropriate course of action to address risks in the sector as part of that process, including whether regulation is necessary, and if so, whether NIS is a suitable regulatory vehicle. The government will therefore keep the inclusion of data centres in NIS under review.
It should be noted that some data centres may already be captured under the scope of NIS through their use by cloud service providers. Similarly, data centres may fall in scope of this measure indirectly through forming part of the network and information systems that support the provision of a managed service or managed security service.
For the avoidance of doubt, software development is also not intended to be in scope of this measure. Therefore, independent software vendors whose function is to develop software are not proposed to fall in scope.
Some respondents indicated that characteristics 1, 2 and 3 in the consultation could be considered as being too narrowly defined. It is important to highlight that managed services are being brought into scope of the NIS Regulations due to their unique and growing importance in the UK economy and the systemic dependencies they create across multiple sectors. This is not intended to imply that managed services are the only services within supply chains which have the potential to pose a risk to the UK’s resilience. This measure is only one part of a wider toolkit the government will use to address supply chain risks, including both legislative and non-legislative measures.
In relation to characteristic 3, a few respondents highlighted the need to include some business to customer (B2C) services alongside business to business services (B2B) already suggested. The current proposal to bring into scope only business to business services into this legislative measure reflects the government’s intention to capture only those services which present the greatest systemic risk to the UK’s economy and society, and to reflect the current business model for managed services in the UK.
The government recognises the strong support for narrowing the scope of managed services regulated under the proposed measure, by using a risk-based assessment. While the government is not currently proposing to include these characteristics in legislation, it will work closely with the regulator, the Information Commissioner, on how to apply the risk based criteria in its application of the regulations.
Proposal to slightly modify the exemption on small and micro business
The consultation responses demonstrated strong support for the proposal to modify the exemption on small and micro business in the NIS Regulations. The government intends to largely maintain the exemption for small and micro businesses from the NIS Regulations, but will provide the Information Commissioner with the power to designate specific small or micro digital service providers within its scope, if they are deemed systemically critical to the UK’s critical services or national security.
4.2. The supervisory regime for digital service providers
Proposal summary
Establishment of a two-tier supervisory regime for digital service providers in scope of the NIS Regulations. This would involve developing a proactive (ex-ante) supervisory regime for the most critical digital services and a reactive (ex-post) supervisory regime for the remaining digital services regulated under the NIS Regulations.
Analysis summary
Over three-quarters (79%) of respondents agreed with the proposal to establish / implement a two-tiered supervisory regime for providers of digital services.[footnote 17] Within this, a higher proportion of organisations that are currently in scope of the NIS Regulations agreed with this proposal compared to organisations that are not currently in scope of the NIS Regulations (100% compared to 63%).[footnote 18] Additionally, 69% of respondents who consider their organisation to meet the criteria of a managed service (as outlined in the measure to expand the definition of managed service providers) also agreed with the proposal.[footnote 19]
Over two-thirds (69%) of respondents agreed with the proposal to define the factors that the ICO should take into consideration as part of the two-tiered supervisory regime.[footnote 20] Similarly, the majority of organisations currently in scope of the NIS Regulations and those which meet the criteria for a managed service also agreed with the proposal (77% and 73% respectively).[footnote 21]
Around nine in ten (89%) respondents agreed that further guidance on supplier-customer cyber resilience cooperation is necessary, particularly as part of a supervisory regime for the most critical digital service providers.[footnote 22] All organisations in scope of the NIS Regulations that are a relevant digital service provider and meet the criteria of a managed service, agreed with the statement that further guidance is necessary.
Respondents were asked how effective they consider each of the government’s proposed options for factors in capturing the most critical digital services to the UK. As shown in Figure 2, a large majority of respondents considered all factors to be either ‘very effective’ or ‘somewhat effective’. The factors which had the highest proportion of respondents stating these would ‘not be effective’ included scale (37%), financial (25%), market reach (19%) and market concentration (13%).[footnote 23]
Figure 2: How effective do you believe each of the government’s proposed options for factors would be in ensuring the digital services most critical to the UK’s resilience are captured?
Option | Not at all effective | Somewhat effective | Very effective | Don’t know | Total |
---|---|---|---|---|---|
The criticality of the customers supplied | 8% | 44% | 42% | 6% | 100% |
The level of dependence of the customer on the service | 8% | 48% | 38% | 6% | 100% |
The level of connectivity and access to the customers network | 6% | 42% | 48% | 6% | 100% |
Market reach | 19% | 56% | 17% | 8% | 100 |
Scale | 37% | 48% | 8% | 8% | 100% |
Financial | 25% | 58% | 10% | 10% | 100% |
Concentration in the market | 13% | 56% | 23% | 8% | 100% |
The likely consequences for national security | 6% | 35% | 50% | 8% | 100% |
Respondents were then asked why they believed certain factors to be effective or ineffective. For this, respondents could use a text box to explain why they believed certain factors to be effective or ineffective. To analyse these results, we thematically coded the responses which are shown in Table 4. As detailed in Table 4, the majority of respondents indicated finding the criticality of the customers supplied (56%), the level of dependence of the customer on the service (59%), the level of connectivity and access to the customers network (52%), and the likely consequences for national security (63%) as effective options.
Table 4: Why do you believe the government’s proposed options for factors in ensuring the digital services most critical to the UK’s resilience are effective or ineffective?
Factor | Regulation in the market is not needed - market is already self-sufficient | Loopholes in regard to size of MSPs - need to consider scope and impact of the businesses | Some effect but the proposal could go further | Proposed options are effective |
---|---|---|---|---|
The criticality of the customers supplied[footnote 24] | 4% | 7% | 11% | 56% |
The level of dependence of the customer on the service[footnote 25] | 4% | 7% | 15% | 59% |
The level of connectivity and access to the customers network[footnote 26] | 0% | 7% | 19% | 52% |
Market reach (e.g. average number of clients supported by a service)[footnote 27] | 0% | 15% | 15% | 33% |
Scale (e.g. annual staff headcount of a service)[footnote 28] | 0% | 15% | 30% | 33% |
Financial[footnote 29] | 0% | 15% | 26% | 30% |
Concentration in the market[footnote 30] | 0% | 7% | 19% | 48% |
The likely consequences for national security[footnote 31] | 0% | 7% | 7% | 63% |
Respondents were then asked whether they had any suggestions for alternative factors or options that the government should consider. Within this, common responses included:
- factors should be based on the supply chains of operators of essential services and/or critical national infrastructure;
- factors needed further consultation;
- factors should include and consider current levels of cyber security within the organisation.
Government policy response
Feedback from respondents suggests there is strong support for the government to introduce a new approach to regulating digital service providers under the NIS Regulations.
In the consultation, a two-tier supervisory regime scheme was set out. However, as some responses from the consultation indicated, determining the appropriate criteria for a tiered regime could be problematic. In consequence, the government is considering whether a more flexible, risk-based assessment may be a better approach.
The government proposes to implement this supervisory approach through non-legislative means as far as it is practicable. The Information Commissioner will be responsible for producing any guidance on how it will regulate digital services using a risk-based approach and will identify and assess those digital service providers which play the most critical role in supporting the resilience of the UK’s essential services.
The government will also update its guidance to competent authorities (link) to reflect the change to a more risk-based approach to regulatory supervision for digital service providers under NIS. The government will consider whether additional provisions are needed to assist the Information Commissioner in gathering the necessary information from digital service providers in order to assess the level of supervision needed.
In addition, the proposal to produce further guidance on supplier-customer cyber resilience cooperation alongside the supervisory regime drew a positive response. This was echoed in further engagements with various industry stakeholders.
The government acknowledges the strong support for this policy, and is intending to implement the risk based approach for digital service providers through non-legislative means as much as possible. Going forward, this means the policy change will most likely be delivered through updates to the relevant guidance, and will be developed in close partnership with the relevant regulated entities.
5. Pillar II: Proposals to future-proof the UK NIS Regulations
5.1. Delegated power to update the NIS Regulations in the future
Proposal summary
Providing ministers with the power to make changes to the NIS Regulations through secondary legislation, without changing the current remit of the regulations (i.e. expanding the scope of the regulations beyond their current purpose would not be out of scope).
Analysis summary
The majority (88%) of respondents agreed with the UK government having the power to amend certain elements of the NIS Regulations and the UK version of the Commission Implementing Regulation 2018/151 through secondary legislation.[footnote 32]
Nearly three-quarters (73%) of respondents agreed with the safeguards and limitations set out by the government in the consultation.[footnote 33] A higher proportion of individuals disagreed with the limitations and safeguards than organisations (45% compared to 3%).[footnote 34] A majority (88%) of organisations that are currently covered by the NIS Regulations also agreed with the safeguards and limitations.[footnote 35]
Of those that disagreed with the safeguards and limitations set out in the consultation (27%):
- 67% stated that the safeguards should be more specific and clearly defined;[footnote 36]
- 22% said that the consultation methods should be defined more clearly.[footnote 37]
When asked whether there were any other safeguards or limitations that the government should consider, the most common responses indicated:
- The need for a requirement to consult and produce impact assessments with industry;
- Limited divergence from EU practices;
- Safeguards to be developed with industry.
Around one in five (21%) respondents thought that there are areas of the NIS Regulations in the UK that should not be included in the delegated powers.[footnote 38] These areas related to penalties, the scope of the regulations, and the designation of SMEs.
Government policy response
There was support for the UK government having the power to amend the NIS Regulations, which indicates that respondents considered the proposal is appropriate to maintaining and developing the regulations’ effectiveness. It is also encouraging that the majority of respondents agree with the nature of the safeguards and limitations, and the examples given. Very few respondents disagreed with the proposal, with no consistent theme emerging from these responses. As such, the government will continue to pursue this measure and seek to set it out in legislation as soon as parliamentary time allows.
Feedback on the safeguards focused on requirements to consult and produce impact assessments with industry. Future amendments to the NIS Regulations using this proposed delegated power would be consulted upon with the public, with further government responses being published covering the specific changes.
Impact assessments, including post-implementation reviews (PIR), are an integral part of policy development and there is already a requirement in this context to produce a PIR alongside any primary or secondary legislation. Impact assessments would be carried out, where relevant, for any changes proposed using this delegated power. The government will continue to engage with sectors and regions, especially those likely to be impacted by changes.
Further feedback from respondents on the safeguards noted concerns about divergence away from EU practices. Given that the UK is no longer bound by EU legislation and will not be implementing NIS 2.0 there will be differences between the EU and the UK. The UK’s legislation is designed for the UK economy and to maximise the benefits to the UK. The UK’s approach, through outcomes focused tools such as the Cyber Assessment Framework provides a measure of flexibility for companies.
A small minority of respondents believed there should be elements of the NIS Regulations that should be excluded from the proposed power. Penalties, the scope of the regulations, and the designation of small and medium-sized enterprises were all mentioned by respondents. The government understands these concerns but does not believe that the power should exclude these areas, except for scope which was already excluded from this provision in the consultation. Looking forward, we need flexibility to amend and improve the regulations, including on areas such as penalties. Any future changes will, as set out in the consultation, be consulted on with industry.
Based upon the feedback received from the consultation, the government will continue to consider what safeguards and limitations to the power are needed, without limiting the ability to amend the Regulations in the future where deemed necessary.
5.2. Delegated power to amend the scope of the NIS Regulations
Proposal summary
Creating a power allowing the government to change the scope of the NIS Regulations to include new sectors. This could be used to change existing NIS sectors and sub-sectors or to add new sectors and sub-sectors in the future.
Analysis summary
The majority (81%) of respondents agreed with the government’s proposal for a delegated power that would allow the government to amend the NIS Regulations to add new sectors.[footnote 39] Around nine in ten organisations (88%) that are currently covered by the NIS Regulations agreed with this proposal.[footnote 40] Where these organisations disagreed with the measure (12%), common objections were around the need for parliamentary scrutiny on any amendments and for more safeguards to be implemented.
A vast majority of respondents (90%) agreed that the measure should contain safeguards and limitations.[footnote 41] When asked to elaborate on what safeguards and limitations should be in place, common responses included:
- evidence-based safeguards, i.e. they must be justified given the impacts on regulators and the regulated;
- targeted consultation / engagement with industries that are impacted by the changes;
- to allow for adequate parliamentary / public scrutiny and veto powers; and
- that independent stakeholders, such as the academic community, should be consulted.
A large proportion of respondents (86%) agreed that there are benefits in additional sectors being brought within scope of the NIS Regulations.[footnote 42] Respondents were then asked what benefits they saw in additional sectors being regulated. Common responses and themes included:
- an increase in cyber security resilience, due to enforcement of security standards;
- reduced risk from suppliers and an improvement in supply chain security;
- that legislation can evolve to changing threats;
- the potential to stop sector-specific threats that have become prevalent or protect increasingly critical sectors that the economy relies on.
Government policy response
Overall, there was strong support for the delegated power to expand the scope of the NIS Regulations to add new sectors, with wide acknowledgement of the benefits that the Regulations can bring to regulated organisations. Of the minority who disagreed, feedback focused on the need for safeguards, rather than disagreeing with the policy objective of the delegated power, as well as assurance that sectors will be consulted. The government agrees with these responses and recognises the concerns raised. Safeguard elements were included in the original proposals. As such, the government will continue to pursue this measure and seek to set it out in legislation as soon as parliamentary time allows.
Respondents reinforced the suggestions already existing in proposals regarding the need for safeguards. The government agrees with the need for adequate parliamentary and public scrutiny. Proposed amendments to the NIS Regulations made under delegated powers should be subject to public consultation, as appropriate. Amendments to the NIS Regulations via secondary legislation have been consulted on, such as the consultations in 2021 and 2020.
Some respondents voiced concern over the potential of double regulation, whereby organisations fall under the scope of two different pieces of similar regulation. The government recognises this concern but notes that organisations are frequently subject to multiple regulatory obligations. Since the initial implementation of the NIS Regulations in 2018, the UK has opted for an approach that attempts to minimise regulatory burdens where possible on industry.
Respondents also highlighted the need to evaluate the financial burden of the NIS Regulations on candidate sectors and their potential regulators before expanding the NIS Regulations to a new sector or subsector. As highlighted in the section on the delegated power to update the NIS Regulations, the government is required, where appropriate, to produce impact assessments which analyse the costs of a proposed measure on both government and industry as part of policy development. These impact assessments are scrutinised by the government and by the public. An impact assessment was published alongside this consultation detailing the costs of this package of measures on industry [link here].
Such assessments should also be produced when proposing new sectors, after thorough evaluations are carried out by government departments in collaboration with the industry, the public and all other relevant stakeholders. It is also important to note that the government is committed to conducting comprehensive post-implementation reviews of the NIS Regulations at regular intervals; the first review was published in 2020, the second in 2022, and the third will be delivered no later than 2027. Such reviews are an important evidence base that will inform future policy and the need for future sectors to be considered.
Respondents also highlighted that regulatory intervention via the NIS Regulations may not be the appropriate solution for some sectors, suggesting instead softer intervention through tools such as an enhanced version of Cyber Essentials (a voluntary, government-backed cyber security certification scheme). Where applicable and least burdensome, the government will consider the use of standards and certification. However, large-scale certification is not always appropriate, and tailor-made interventions may be required to minimise burdens and ensure that the regulations remain proportionate; the government will consider this moving forward.
5.3 Measure to regulate critical sectoral dependencies in NIS
Proposal summary
Creating a new power to designate critical suppliers or services, on which existing essential and digital services depend, bringing them directly into the scope of the NIS Regulations. The services provided by designated entities would then fall under the remit of the NIS Regulations and will provide a discretionary power to take appropriate and proportionate measures to secure them.
Analysis summary
The majority (90%) of respondents agreed with the proposal for the government to have power in designating critical dependencies.[footnote 43] All (100%) organisations that are currently in scope of the NIS Regulations agreed with this proposal.[footnote 44] This was also the case for organisations that indicated meeting the criteria of a managed service.[footnote 45]
Respondents were given the opportunity to provide any suggestions for changes or an alternative approach that would allow for the designation of critical dependencies. Common themes that emerged from the responses were:
- the need for more guidance / criteria to be published about the process;
- for more consultations with industry and/or reliance on industry expertise;
- to recognise the commercial implications / impact on existing suppliers;
- to carefully consider the scale/scope of the designations;
- that self-regulation is sufficient and no government intervention is required.
The consultation then asked respondents whether they thought there are any additional safeguards that they thought were necessary. Again, respondents highlighted the need for clear guidance, documentation, and parliamentary oversight and to engage with industry and experts.
Finally, the consultation asked respondents whether there were any other comments that they would like to make about this measure. Respondents raised concerns over resourcing and the capacity of regulators. They also highlighted the difficulties around regulators having multiple sector responsibilities for a critical dependency or an overlap of regulatory oversight. For instance, one respondent highlighted the need to “ensure that the industrial regulator not only has the relevant regulations in place, but the capacity to enforce those regulations and ensure compliance”, suggesting that the government considers “circumstances which may arise leading to NIS and the industry regulations to diverge, and how to manage that.”
Government policy response
Overall support from respondents on the measure to regulate critical sectoral dependencies under the NIS Regulations indicates widespread support for the government’s proposal. Critical feedback from respondents focuses on the implementation of designation powers, rather than the fundamental need for them. As such the government will continue to pursue this measure.
The need for more detail around the designation process was cited by respondents as both a suggested change in approach and an additional required safeguard. The publication of a clear, transparent process for designation decisions is a necessary precondition for this power. However, much of the detail that respondents were seeking will be the subject of further implementation guidance from regulators and is yet to be determined. However, the government considers that any power to designate should have a clear, transparent process and designated organisations should have the opportunity to make representations before such a decision comes into force.
Another theme amongst responses was the need to draw on industry expertise in identifying critical dependencies. Industry engagement and consultation is an important part of the sectoral risk assessments that sit at the core of being able to identify organisations as critical dependencies. The government will encourage regulators, operators of essential services and government departments to engage closely with industry.
Competent authorities will identify the exact terms of industry engagement in designing their processes for sectoral risk assessments, and are likely to rely heavily on information from the sectors they regulate about which services are critical and what represents a dependency. Critical dependencies cannot be robustly or consistently identified by competent authorities, or operators of essential services, acting in isolation. It will not be possible for individual operators to ‘self-register’ critical dependencies based on their individual circumstances.
While individual organisations will be able to identify the organisations on which their own critical services rely, they will not have the cross-sector view required to identify systemic, aggregate risks, or consider whole sector impacts of an incident. Designation must therefore be managed by competent authorities rather than being a process where operators of essential services can nominate or designate organisations unilaterally.
Feedback on the measure highlighted the need to recognise the commercial implications of designations and the impact on existing supply relationships. This power should avoid creating a situation where an operator was left temporarily unable to procure a critical underlying service as the only supplier has left the market due to the threat of regulation, or due to the inability to claim back costs of compliance. This consideration is equally relevant to the proposed measures around digital service providers, and was also raised in industry engagement undertaken during the consultation period. The potential for such unintended consequences should be considered when designation decisions are being made.
To implement this feedback, the government will consider setting out such factors for competent authorities to consider in their recommendations, before a decision is made. When arriving at a designation recommendation, competent authorities should be required to consider such factors as the potential impact on any existing contracts, and any immediate impacts on an operator of essential service’s ability to procure the service. Such commercial considerations should not, however, act as an absolute barrier to an organisation being designated by the government. The fact that an operator may be so dependent on a single supplier that they could not function without them is exactly the risk that this measure is seeking to address. Instead, consideration of commercial implications should allow competent authorities to identify any necessary mitigations to ensure continuity of essential services.
Feedback which opposed the measure generally expressed the view that operators should be managing risks from their suppliers themselves, rather than regulators. In most cases, it is appropriate for operators to manage cyber risks from their own supply chain, and most supply relationships risk management will remain the responsibility of operators. Critical dependencies however, represent a special category of supplier where additional oversight is necessary. Critical dependencies may occur, for instance, where risk is concentrated because of reliance of several operators on a single organisation. Individual operators could not be expected to know where such concentration exists, nor should they be expected to entirely mitigate such multi-organisation, potentially multi-sector reliance by themselves. In such cases the government believes the risk is significant enough to require regulatory oversight. Risks arising from an organisation that supplies a single operator of essential service are much more likely to continue to be managed via their existing contractual requirements and other relevant arrangements
5.4. Additional incident reporting duties beyond continuity of service
Proposal summary
Expanding the current incident reporting duties to include incidents that do not actually affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entities in question and the essential services they provide.
Analysis summary
Around two-thirds (68%) of respondents agreed with the government’s proposals to expand incident reporting duties to include incidents that do not directly affect the continuity of service.[footnote 46] A greater proportion of individuals agreed with the proposal than organisations (70% compared to 50%).[footnote 47] However, nearly two-thirds of organisations (67%) that are currently covered by NIS Regulations agreed with this proposal.[footnote 48]
When asked to explain their answers, common themes included:
- general support for the measure;
- the measure may be too burdensome on UK industry or regulators;
- reporting duties needing to be more specific; and
- the measure does not go far enough.
Respondents were then asked whether they agreed with the proposal for the additional incident reporting requirement for “any incident which has a significant impact on the availability, integrity, or confidentiality of network and information systems, and that could cause, or threaten to cause, substantial disruption to the service.” A majority of respondents (54%) agreed with the proposal.[footnote 49] Within this, a greater proportion of organisations disagreed with this measure compared to individuals (69% compared to 55% respectively).[footnote 50] However, the majority of organisations (58%) that are currently covered by the NIS Regulations agreed with this measure.[footnote 51]
When asked to explain their answer further, common themes included:
- the need for the measure to be more specific, due to difficulties in interpretation;
- general agreement with the proposed measure; and
- that the measure does not go far enough.
Respondents were given the opportunity to provide alternative suggestions for how the additional incident reporting requirement could be defined. A common suggestion from respondents was to further specify the terms or the criteria in the proposed definition. For instance, one respondent stated “any incident which has a significant adverse impact on the availability, integrity, or confidentiality of the operators of essential services’ or relevant digital service providers’ network and information systems, and that could cause, or threaten to cause, substantial disruption to its essential service or digital service or substantially adversely impact the integrity and/or confidentiality of its network and information system”. However, some respondents thought that “any cyber security incidents should be reported” as this “will allow the regulators to simplify the messaging campaign and concentrate more on refining the report handling systems”.
Finally, respondents were asked what factors they felt are the most important when assessing whether an incident has the potential to impact the continuity of service. Common themes from this question included:
- factors that are linked to company impact and recovery, i.e. service availability and recovery capability;
- factors that are linked to the criticality of the targeted asset;
- factors that are linked to a type of incident/ threat actor, i.e., threat actor’s motivations; and
- the impact on the wider sector / economy.
Government policy response
Overall, responses to this measure were largely positive, although to a lesser extent than the previous measures. Most respondents agreed with expanding incident reporting under the NIS Regulations, so that it captures not only incidents that disrupt the service, but also those others that pose a high risk to, or impact the service even though they don’t immediately disrupt it. Some respondents highlighted challenges around identifying exactly when the expanded reporting duty would apply, as well as the content and purpose of the incident reports. The government, in collaboration with industry, technical authorities and regulators, will work to improve clarity of the precise circumstances in which reporting will be required under this proposal.
Feedback highlighted the need for more precise detail as to circumstances in which reporting will be required under the proposed expanded duty. As with the current duty, such detail will be included in competent authority guidance, rather than legislation; the proposal is primarily concerned with the duty itself, rather than the process of notifying incidents.
The proposed expanded reporting duty will be supplemented, as the current duty is now, by guidance on reporting thresholds set by the regulators, in collaboration with the NCSC and regulated bodies.
Some respondents attributed underreporting to factors beyond the narrow reporting duty in the NIS Regulations, such as the complexity of reporting systems, the lack of clarity as to which authority a company should report to, noting more generally that this created a burden for industry. The government sympathises and agrees that there is a need to clarify and simplify the reporting process.
Respondents also questioned the contents of incident reports. The exact specifications of the incident report is not, and will not be set out in legislation, but will be specified by the regulators in their guidance.
Feedback from some respondents focused on how the sensitive incident report information would be processed. The current policy proposal remains in line with the existing requirements of regulators to appropriately safeguard such information and to use it for the purposes set out in the regulations.
5.5. Full cost recovery for NIS functions
Proposal summary
The proposal is that some additional costs incurred by competent authorities for regulating NIS be transferred from the taxpayer onto the organisations in scope by creating a more flexible model that allows them to raise fees and recover costs for relevant NIS activities; this would lead to a full cost recovery model for the NIS Regulations.
Analysis summary
The majority of respondents (54%) disagreed that the current cost recovery mechanism (invoice-based) needs to be changed.[footnote 52] A higher proportion of responses from organisations disagreed with the measure compared to individuals (75% compared 54%).[footnote 53] However, the majority (56%) of organisations that are currently regulated by the NIS Regulations agreed that there needs to be changes to the cost recovery mechanism.[footnote 54]
When respondents were asked to explain their answers further, common themes included:
- that the current cost recovery mechanism is sufficient;
- that the cost structure needs to take into account factors such as existing fees, hidden costs, and size of an organisation so as to not impose an undue burden;
- the regulator expenditure must be transparent and justified; and
- the powers will give the regulator an incentive to chase negative outcomes, such as increased fines.
When asked how the government should best fund regulatory oversight of the NIS Regulations:
- 44% indicated fees, fines, or existing models already used by the government;
- 38% indicated central funding through Her Majesty’s Treasury;
- 18% indicated a funding model that takes into account the impact on consumers.[footnote 55]
In the consultation, respondents were presented two options relating to how competent authorities should recover their costs from companies. The two options were:
- Option one: removing the limitation in the legislation and expanding cost recovery to all regulatory activities; and
- Option two: introducing a ‘hybrid’ cost recovery model that allows competent authorities to both recover costs on an estimated/projected basis and to recover exact costs through invoices.[footnote 56]
As shown in Figure 3, nearly two-thirds (64%) of respondents thought that option one was either ‘somewhat effective’ or ‘not at all effective’.[footnote 57] Similarly, around two-thirds of respondents (66%) thought option two was either ‘somewhat effective’ or ‘not at all effective’.[footnote 58]
Figure 3: How effective do you believe each of the government’s proposed options for how competent authorities should recover their costs from companies will be?
Response | Option 1 | Option 2 |
---|---|---|
Very effective | 11% | 13% |
Somewhat effective | 32% | 33% |
Not all effective | 32% | 31% |
Don’t know | 25% | 22% |
When asked to explain their answer, the majority of respondents (57%) highlighted that both options have certain flaws.[footnote 59] For instance, one respondent stated that “a cost structure that is overly dependent on enforcement activity may struggle to recoup sufficient costs, as incident numbers can vary; and may also encourage regulated organisations (including providers) to conceal the true impact of incidents”. Additionally, another respondent highlighted that “a cost structure that is overly burdensome may cause some organisations to withdraw from markets - this could be significant in some industries where only one or two smaller providers are capable of delivering critical services”.
Respondents were asked whether they had any concerns about the burden that this proposal would place on regulated organisations, considering the other regulations they may be subject to. Nearly three-quarters (73%) of respondents indicated having these concerns.[footnote 60] Within this, a higher proportion of individuals cited these concerns compared to organisations (53% compared to 25%).[footnote 61] Nearly two-thirds (65%) of organisations that are currently covered by NIS Regulations and 60% of organisations who meet the criteria of a managed service also cited concerns with this proposal.[footnote 62]
When asked to explain their answer, responses broadly fell into three categories:
- general financial concerns around the proposal, such as the impact on consumers, market barriers, and unchecked spending by regulators;
- concerns around the risk of unwarranted increase in workloads, due to ambiguous definitions and/or an already complex regulatory landscape; and
- suppliers and businesses should cover the costs of the proposal.
Finally, respondents were asked if there were any other comments that they would like to make about this measure. Common themes were:
- the need for more clarity and guidance on the proposal;
- for cost recovery and expenditure to be transparent, reasonable, proportional, and approved by industry;
- suggestions to base the new model on those used for other regulations (e.g. ICO’s GDPR cost recovery model);
- support for keeping the existing model due to competition concerns.
Government policy response
The feedback to this element of the consultation received the most challenge, and has raised important questions, which the government has taken on board when carefully considering the formulation of the cost recovery policy for NIS competent authorities. As there is no clear support (the respondents are broadly negative, with 54% against and 46% in favour), it is important to tackle the reasons for disagreement and provide clarifications, and/or solutions for this proposal to reduce these concerns.
When considering the reasons for disagreement with this proposal, the main themes emerging from respondents were that (1) the existing cost recovery is sufficient, (2) cost structures must take into account factors such as existing fees, hidden costs, and size or organisations, (3) regulator expenditure must be transparent and justified, and (4) the powers will give the regulators an incentive to chase negative outcomes.
The government’s starting position is that the existing cost recovery system is not sufficient. It relies on central government funding and the reclaiming of costs at a later date. It is the government’s view that in general the cost burden of regulation should fall on the regulated, not the general taxpayer. Therefore we need a cost recovery scheme for NIS that reduces the burden on the taxpayer.
There are explicit limitations in the NIS Regulations that do not permit regulators to recoup costs arising from enforcement; such restrictions are enshrined in regulation 21(6)(a). As such, regulators cannot recover their full costs under the legislation. There are examples of regulators with greater cost recovery powers in respect of other legislation.
Regulators should establish their cost recovery mechanisms in such ways that they are as transparent and simplified as possible. The government’s proposal to introduce a more flexible ‘hybrid’ mechanism aimed at giving regulators more freedom to establish costs in a way that is more transparent and takes into account the wider regulatory burdens, size, and other factors. As suggested in the consultation, a regulator for instance could choose to charge on a projected basis, a ‘set fee for regulated entities, with entity-specific costs […] charged on an historic, as incurred basis’. A regulator would equally have the freedom to choose a different cost recovery model more appropriate to their sector. Fees would be established with input from regulated entities (as is general practice), will be made publicly available, and will provide regulated entities with a clear expectation of costs, which in turn makes the regime more transparent. This will also alleviate concerns over ‘unchecked regulator spending.
By allowing regulators to have a more flexible regime, the NIS Regulations cost-recovery mechanism can be better aligned to actual costs. They will be more streamlined and regulators would have more freedom to establish fees with the input of industry in advance, helping with advance planning and budgeting. These benefits would be in addition to the primary objective of ensuring that regulators are able to confidently enforce the regulations. The government believes that this proposal goes some way in alleviating some of the concerns raised in the feedback around the need for cost recovery and expenditure to be ‘transparent, reasonable, proportional, and approved by industry’.
In regards to concerns with creating negative incentives (e.g. increasing fines or sending more notices), it is important to note that the proposal is to expand cost recovery to cover enforcement costs, rather than use enforcement as an additional income to cover wider NIS costs. As such, it is expected that regulators will only establish such fees and recover those costs that are directly incurred as a result of enforcing the regulations.
Next steps
The government will reflect on the outcome of this consultation, but remains committed to implementing an improved, fairer cost recovery scheme for the NIS Regulations.
The feedback showed a necessity for further guidance, clarification, and reassurance from the government that the proposals will take into account a wide range of factors, that they will remain appropriate and proportionate, and will not create perverse incentives to increase enforcement where unnecessary.
The proposals are meant to expand the cost recovery powers of regulators to cover a small, but important aspect of the regulations - enforcement. While this represents a much smaller cost than other actions (e.g. auditing, testing, etc.), they are important - to ensure that the regulators have the right tools to recover their costs and not rely on taxpayer subsidy. The second element, to implement a more flexible mechanism, will consider examples from existing legislation and guidance which permits the recovery of enforcement costs.
In light of this, the government considers that the proposals can indeed address the concerns raised in the consultation feedback, and recognises that there should be better and more robust guidance in regards to how the process will work in practice. As such, it will continue with proposals, and implement the feedback, where possible. Moving forward, the government will work with the regulators to ensure that their cost recovery mechanisms take into account the feedback effectively, remain transparent, appropriate, and proportionate.
Annex 1 - Further rationale on updated characteristics for managed services in scope of NIS legislation
Revised proposed characteristics: managed services | Further information, including rationale for changes since the consultation |
---|---|
1.The managed service is provided by one business to another business and, | This sets out the intention that managed services used for internal purposes only are not intended to be in scope of this legislative measure. For the avoidance of doubt, government, local authorities and other public bodies are intended to be in scope if they provide managed services of the categories defined here. |
2.The service is related to the provision of IT services, such as systems, infrastructure, networks and/or security, and | This has been added for clarity in response to industry feedback. The characteristic sets out the intention that managed services that are IT services will be in scope of NIS legislation. This characteristic scopes out non-IT services such as business processing outsourcing (e.g. HR and payroll). |
3.The service relies on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties and, | This characteristic has been added to clarify that services are intended to fall within the scope of the legislation in instances when they rely on a third party or the customer’s networks to supply their service, not necessarily just their own networks. Responses to the consultation highlighted that the previously suggested wording was unclear. |
4.The service provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network and/or the security thereof | This characteristic sets out the intention that services which do not provide regular and ongoing support, such as software development or ad hoc consultancy services, are not intended to be in scope. “Security thereof” has been added for the avoidance of doubt that managed security services are intended to be in scope. Responses to the consultation and industry round tables highlighted that the inclusion of managed security services within the scope of the legislation was not immediately clear as previously worded. |
-
Base: 111 respondents. ↩
-
Base: 19 organisations. ↩
-
Base: 110 respondents. ↩
-
The original examples of managed services can be found in the Annex A of the ‘Proposal for legislation to improve the UK’s cyber resilience’. ↩
-
Base: 19 organisations. ↩
-
Base: 90 respondents. ↩
-
Base: 90 respondents. ↩
-
Base: 91 respondents. ↩
-
Base: 86 respondents. ↩
-
Base: 34 respondents. ↩
-
Bases: Option A: 76 respondents, Option B: 76 respondents. ↩
-
Base: 54 respondents. ↩
-
Base: 83 respondents. ↩
-
A micro business has fewer than 10 employees. ↩
-
A small business is classified as having between 10 to 49 employees. ↩
-
Base: 4 micro and 12 small organisations. ↩
-
Base: 67 respondents. ↩
-
Base: 17 organisations currently covered by the NIS Regulations and 16 organisations not currently covered by the NIS Regulations.. ↩
-
Base: 13 respondents. ↩
-
Base: 61 respondents. ↩
-
Base: 17 organisations currently covered by NIS and 11 organisations meeting the criteria of a managed service provider. ↩
-
Base: 63 respondents. ↩
-
Base: factors 1, 2, 4, 5 & 7 (the criticality of the customers supplied, the level of dependence of the customer on the service, market reach, scale, concentration in the market) had 52 respondents. Factor 3 and 6 (the level of connectivity and access to the customers network and financial) had 53 respondents. Factor 8 (the likely consequences for national security) had 51 respondents. ↩
-
Base: 27 respondents. ↩
-
Base: 28 respondents. ↩
-
Base: 25 respondents. ↩
-
Base: 24 respondents. ↩
-
Base: 28 respondents. ↩
-
Base: 25 respondents. ↩
-
Base: 25 respondents. ↩
-
Base: 26 respondents. ↩
-
Base: 72 respondents. ↩
-
Base: 64 respondents. ↩
-
Base: 20 individuals and 35 organisations. ↩
-
Base: 16 organisations. ↩
-
Base: 9 respondents. ↩
-
Base: 11 respondents. ↩
-
Base: 53 respondents. ↩
-
Base: 63 respondents. ↩
-
Base: 16 organisations. ↩
-
Base: 61 respondents. ↩
-
Base: 61 respondents. ↩
-
Base: 63 respondents. ↩
-
Base: 15 organisations. ↩
-
Base: 11 organisations. ↩
-
Base: 73 respondents. ↩
-
Base: 20 individuals and 28 organisations. ↩
-
Base: 18 respondents. ↩
-
Base: 73 respondents. ↩
-
Base: 20 individuals and 29 organisations. ↩
-
Base: 19 respondents. ↩
-
Base: 48 respondents. ↩
-
Base: 24 organisations, 13 individuals. ↩
-
Base: 16 respondents. ↩
-
Base: 39 respondents. ↩
-
Through monthly/quarterly/annual fees. ↩
-
Bases: Option 1: 44 respondents, Option 2: 44 respondents. ↩
-
Base: 44 respondents. ↩
-
Base: 30 respondents. ↩
-
Base: 48 respondents. ↩
-
Base: 15 individuals and 24 organisations. ↩
-
Base: 14 organisations and 10 organisations respectively. ↩