November 3, 2024
Data Protection Law

The UK Government plans to introduce new cybersecurity legislation across the UK in the form of the Cyber Security and Resilience Bill (the Bill). The Bill’s objective is to improve the law around cybersecurity generally to make the UK’s critical and cyber infrastructure more resilient in the face of frequent and damaging cyberattacks.

Neil Williamson and Colin Lambertus, from EM Law, were featured in OneTrust’s DataGuidance, writing an article and delving into the Bill and how it may be influenced by other developments in cybersecurity regulation, including the consultation on the NIS Regulations and the NIS 2 Directive.

Background

As the Bill is yet to be published, concrete details are sparse. In an explanatory summary, the UK Government states that the Bill ‘will make crucial updates to the legacy regulatory framework by:

  • expanding the remit of the regulation to protect more digital services and supply chains…;
  • putting regulators on a strong footing to ensure essential cyber safety measures are being implemented…; and
  • mandating increased incident reporting to give government better data on cyberattacks…’

These broad statements give clues as to the content of the Bill.

It seems likely that the Government intends to revise existing legislation – the NIS Regulations 2018 (rather than develop a new regulatory framework (‘expanding the remit of the regulation’).

The NIS Regulations, implementing the EU’s Directive (EU) 2016/1148 (NIS Directive), established additional requirements for in-scope organisations to implement cybersecurity measures to protect data (not just personal data). These organisations are also obliged to report cybersecurity incidents that seriously affect the continuity of service.

The organisations that are in scope are providers of essential services (health, energy, water, transport, and digital infrastructure) and also ‘digital service providers’ – defined in the NIS Regulations as online marketplaces, online search engines, and cloud computing services. There are carve-outs for small and micro organisations in all sectors and categories.

In 2020 and again in 2022, the previous Conservative Government published two post-implementation reviews of the NIS Regulations. These reviews highlighted that the NIS Regulations are inadequate. The Conservative Government therefore intended to update the NIS Regulations, launching a public consultation. The Conservative Government’s response to that consultation, which indicated a change in the law, set out in broad terms the areas of reform. The recent UK election prevented the reform from being implemented. 

The new Labour Government’s summary of the Bill recalls the areas of reform that the Conservative Government was planning. Whilst the Bill is not going to be exactly the same, the Bill will likely base at least some of its proposed changes on that consultation response.

Additionally, the Bill may also be influenced by the EU’s Directive (EU) 2022/2555 (the NIS 2 Directive). Due to be brought into force amongst Member States in October 2024, and fully effective by January 2025, the NIS 2 Directive strengthens the NIS Directive.

Neil and Colin consider how the prior consultation on the NIS Regulations in the UK and the NIS 2 Directive could influence the drafting of the Bill below.

Consultation on the NIS Regulations

The previous Conservative Government’s consultation covered two primary ‘pillars’ of reform:

1. ‘proposals to bring additional critical providers into the UK’s cybersecurity regulatory framework;’ and

2. ‘proposals to future-proof the UK’s existing cybersecurity legislation, primarily the [NIS Regulations].’

Pillar 1 

Managed service providers

The NIS Regulations do not capture a core group of suppliers that businesses across the UK rely on – so-called ‘managed service providers.’ Managed service providers deliver internal business support services such as remote IT support and security, payroll, virtual desktops, and so on.

The consultation initially proposed a wide definition that would capture most functions that businesses regularly outsource. This received pushback from the public – not every outsourced function is critical. Accordingly, the definition of a managed service provider was subsequently narrowed:

image of a traffic flow blur inside an article by EM Law about UK: Cyber Security and Resilience Bill Overview

‘the managed service is provided by one business to another business…;’

‘the service is related to the provision of IT services, such as systems, infrastructure, networks, and/or security;’

‘the service relies on the use of a network and information systems, whether this is the network and information systems of the provider, their customers, or third parties;’ and

‘the service provides regular and ongoing management support, active administration, and/or monitoring of IT systems, IT infrastructure, IT network, and/or the security thereof.’

The revised definition captured providers and supporters of IT infrastructure, but excluded data centers, software developers, and non-IT services such as payroll.

The carve-out for small and micro-managed service providers was to remain, although the Information Commissioner’s Office (ICO) was to gain new powers to select small and micro-service providers that were important enough to be considered in the scope of the NIS Regulations. In-scope managed service providers were to become a fourth category of digital service providers within the existing ambit of the NIS Regulations.

The summary of the Bill hints at a similar approach. A key point, therefore, is whether the Bill will keep to an IT-focused definition of managed service providers or a wider, business support definition originally put forward by the Conservative Government. 

Enhanced supervisory regime

The consultation originally proposed a two-tier supervisory regime of digital service providers (including managed service providers).

The ICO would be given additional powers to set out thresholds in which a digital service provider would be deemed to be ‘critical.’ Critical digital services would be regulated pro-actively. Non-critical digital services were to be subject to a reactive regime. Essential services are not included because they were deemed to be regulated enough.

After more public pushback, especially on the criteria for criticality, the two tiers and a reactive regime more generally were abandoned. Instead, it was considered that more guidance and an enhancement of the ICO’s existing powers would be more appropriate.

Again, the Bill hints at a proactive regulatory regime. Whilst it is doubtful that the Bill will set out proactive regulation of all digital service providers, proactive legislation of the most critical suppliers seems likely.

Pillar 2 

Delegated power to add essential sectors

The consultation proposed that the NIS Regulations should be updated to delegate powers to add and remove additional essential sectors on an evolving basis without the use of primary legislation (more flexibility and less official scrutiny). Limited safeguards were proposed (i.e., requiring further consultation before new sectors were added).

The summary of the Bill does not explicitly refer to additional sectors being added in some way, although the emphasis on more supply chains coming under regulatory oversight would naturally suggest additional services being considered essential.

Critical suppliers to essential services

The consultation also suggested that the ICO could be given powers to designate suppliers (not only digital service providers) to essential services as being a ‘critical dependency.’ In other words, third parties that supply mission-critical services to essential suppliers could also come under the NIS Regulations.

The response to the consultation gave a green light to the concept of critical dependency, although additional emphasis was placed on the relevant authorities being subject to strict guardrails around the designation process.

The Bill highlights additional protection in ‘supply chains.’ This suggests that suppliers to essential services might be brought in under the Bill’s reforms as well and in line with the concept of critical dependency. Recent cyberattacks on non-IT related suppliers (like medical testing providers to hospitals in the UK) have made headlines and are referred to in the summary of the Bill.

Additional reporting duties

The NIS Regulations require, in broad summary, that in-scope organisations report events that significantly affect the continuity of service. The consultation highlighted that reporting of such incidents was minimal – while cyberattacks kept having an adverse impact, they were not significantly affecting continuity of service.

The response to the consultation stated that reporting obligations would be widened in some form.

The summary of the Bill states that the Bill will be ‘mandating increased incident reporting.’ The scale of that increase is unclear, but in-scope organisations can expect either lower thresholds for reporting when continuity is affected, or indeed doing away with the concept of ‘continuity’ altogether.

NIS 2 Directive

The NIS 2 Directive is due to be fully effective in January 2025. It would be surprising if the Bill did not take inspiration from some of the NIS 2 Directive’s core concepts and its changes to the NIS Directive, although the summary of the Bill is less reminiscent of the NIS 2 Directive than the Conservative Government’s consultation. Looking at what the summary of the Bill has set out, some of the most relevant concepts and changes could be as follows.

Revised categorization

Many more essential sectors have been added to the NIS 2 Directive, significantly increasing its scope. A core addition is the inclusion of ‘ICT service management’ as an essential sector – ICT service management includes managed service providers and managed security service providers.

ICT services, as defined in the EU Cybersecurity Act (Regulation (EU) 2019/881), means ‘a service consisting fully or mainly in the transmission, storing, retrieving, or processing of information by means of network and information systems.’ This is a wide definition, with a focus (but not an exclusive focus) on IT service provision.

Further, the NIS 2 Directive has done away with the distinction between essential services and digital service providers set out in the NIS Directive and replaced it with a long list of ‘essential’ and ‘important’ providers within all the various essential sectors. Whether a supplier is essential or important is mainly (but not entirely) subject to its size, but even small and micro entities can be deemed as essential if they operate within certain essential sectors.

This is a different path the Bill could take in bringing more organisations within the NIS Regulations – over 180,000 organisations are estimated to be caught by the NIS 2 Directive across the EU.

Supply chains

The NIS 2 Directive requires in-scope organisations to monitor and regulate their own supply chains to ensure they are resilient in the face of cyberattacks.

Self-regulation is another alternative available to the Bill’s drafters; although given the logic that there are simply fewer businesses in the UK that could fall under the Bill’s reforms, we can expect that direct regulation of at least some supply chains will follow if the Bill becomes law. The EU is a much larger entity, and self-regulation was viewed as being a more realistic default position across the EU.

Regulation

Essential entities under the NIS 2 Directive will be subject to proactive regulation from their Member State regulator. The scope of the regulation is expressly set out and includes:

  • inspections and off-site supervision (including random spot checks);
  • regular and ad-hoc security audits;
  • security scans; and
  • powers to access all relevant information and documentation in respect of the in-scope organisation’s policies and procedures.

Important entities are subject to reactive regulation, although relevant authorities, once the decision has been made to take action, have the same powers to ensure compliance.

The previous Conservative Government balked at proactive regulation for digital service providers. However, given the EU’s approach under the NIS 2 Directive, the Labour Government may introduce proactive regulation as part of the Bill.

image of a woman at work making a call inside EM Law article about new UK Bill and cyberattacks regulations

Reporting requirements

All in-scope organisations will be obliged to report to the relevant authority in the event of a ‘significant incident.’ This is an incident that has or is capable of causing substantial disruption or financial loss to the organisation (or has caused or is capable of causing considerable material or non-material damage to others). If such an incident occurs, organisations have 24 hours to give notice and 72 hours to submit more information, with a full report being provided within one month.

The shortening of reporting notice periods was never part of the Conservative Government’s consultation on the NIS Regulations, although lower thresholds were. Given that the many UK businesses operating in the EU that fall within the NIS 2 Directive will have to become used to a 24-hour notice period, harmonizing reporting obligations and periods with the EU would be a no-brainer element of the Bill.

The Bill could also incorporate the wider definition of a reportable event – as set out above. Given that the Conservative Government did not propose a definition in its response to the consultation, the Labour Government will likely follow the EU here.

Conclusion

Given the wealth of desired and impending reform in cybersecurity law in the UK and Europe, respectively, there are many paths the Bill could go down.

The Labour Government has recently designated data centers as ‘critical national infrastructure’ (a concept outside the remit of the NIS Regulations). Given that cybersecurity is evidently a key priority, the Bill is likely to put forward a heavier regulatory regime that would otherwise have been expected under the Conservative Government. Accordingly, a mix of the more demanding elements of both the response to the consultation on the NIS Regulations and the NIS 2 Directive is a likely outcome.

Businesses in the UK should prepare for new obligations. Even if the regulatory burden is less than expected, reform is coming. Given the legislative progress Labour has made in other legal areas, it would not be a surprise if the Bill was put before Parliament by Christmas, with a view to the Bill becoming law in early 2025.

Further Reading