Consultation outcome

Proposal for legislation to improve the UK’s cyber resilience

Updated 30 November 2022

1. Ministerial foreword

Julia Lopez MP, Minister of State for Media, Data, and Digital Infrastructure

Cyber security threats facing the UK are evolving all the time. What was not even considered a risk five to six years ago is now a potential threat. We need to be adaptable in the face of this changing threat landscape and our legislation needs to be adaptable too.

Five years ago, few people outside of the tech industry had heard of managed service providers. Cloud was the big thing that was going to change the world (and many argue it has already). But managed services such as remote security operations, automatic patching, and digital accounts and billing were considered mainly as corporate benefits, a means to improve services and reduce costs.

What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat. One that can, and has, been exploited by our adversaries. Rather than having to exploit vulnerabilities in thousands of companies, the threat can manifest itself only through a small proportion of those organisations.

These companies provide an essential service to other businesses and organisations. They allow other companies to thrive and are helping the UK develop its digital economy. We do not want to interfere in their ability to operate. But they do create risks which we need to manage, especially when their clients include government departments and critical infrastructure.

Our proposals here are aimed at addressing these risks, whilst allowing these services to continue and succeed. Through these proposals, we will provide a comprehensive framework to ensure that managed services, of the kind mentioned above, take appropriate and proportionate measures to secure their services. This will allow us to gain from their benefits, whilst mitigating against their risks.

At the same time, we are also taking this opportunity to upgrade our cyber security legislation so that it can more easily manage future risks. Giving us the ability to make amendments to our cyber security regulations, improving incident reporting, and potentially bringing new sectors into scope.

These are proportionate responses to a changing threat landscape, but ones that need buy-in from industry if they are to succeed. I hope that through this public consultation you can contribute your views and help us make the UK a stronger and more secure place to be and do business in.

Julia Lopez MP

Minister of State for Media, Data, and Digital Infrastructure

Department for Digital, Culture, Media & Sport

2. How to respond

We welcome your views. To help us analyse the responses please use the online consultation system wherever possible.

You can visit the Department’s online tool to submit your response. You will be able to select which proposal(s) you wish to respond to.

Hard copy responses can be sent to:

NIS Directive Team
Department for Digital, Culture, Media & Sport
4th Floor - area 4/48
100 Parliament Street
London
SW1A 2BQ

The closing date for responses is 11:45pm on Sunday 10 April 2022.

When providing your response, you are also able to provide contact details if you are open to the department seeking further information or clarification of your views.

This document is also provided in Welsh. Should you require access to the consultation in another format (e.g. Braille, large font or audio) please contact us on 020 7211 6000 or nis@dcms.gov.uk

The information you provide will be used to shape future policy development and may be shared between UK government departments and agencies for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the consultation closing date on the Department’s website.

2.1 Freedom of information

Information provided in the course of this consultation, including personal information, may be published or disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA) and the Data Protection Act 2018 (DPA).

The Department for Digital, Culture, Media and Sport will process your personal data in accordance with the DPA and, in the majority of circumstances, this will mean that your personal data will not be disclosed to third parties. This consultation follows the UK government’s consultation principles.

If you want the information you provide to be treated confidentially, please be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice which deals, amongst other things, with obligations of confidence. In view of this, it would be helpful if you could explain to us why you wish that information to be treated confidentially. If we receive a request for disclosure of that information, we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances.

3. Overview

The UK defines its most important infrastructure assets, systems, sites, personnel and functions through the lens of critical national infrastructure. Protecting our critical national infrastructure is a key pillar of the national security approach set out in the Integrated Review. As part of the 2016 National Cyber Security Strategy, the government committed to put in place the right regulatory framework to ensure that cyber risk to critical national infrastructure is managed in the national interest. The implementation of the UK Network and Information Systems Regulations 2018 has formed a key part of this approach, alongside other sectoral regulatory frameworks. Maintaining the security of critical national infrastructure in a continually shifting threat landscape is a key challenge for the government as well as the public sector and private sector stakeholders responsible for operating critical national infrastructure.

The Network and Information Systems Regulations have proved invaluable in transforming our understanding of cyber risk, enabling a more consistent approach to the regulatory landscape for cybersecurity across multiple critical national infrastructure sectors. As a result of digitalisation and Net Zero, we face changes regarding what is critical and the increasing dependence of essential services on network and information systems and digital supply chains. It is therefore key that the regulatory framework can adapt to remain effective in driving the improvements needed, to ensure that in the decades to come essential services remain secure and resilient for the UK citizens and businesses that depend on them every day.

Recent high-profile cyber attacks, such as the December 2020 SolarWinds supply chain compromise, the May 2021 ransomware attack on the US Colonial Pipeline, and the July 2021 attack on the managed service provider Kaseya demonstrate how malicious actors are able to compromise a country’s national security and disrupt activities in the wider economy and society. In July 2021 the US Cybersecurity and Infrastructure Security Agency, the Australian Cyber Security Centre, the UK’s National Cyber Security Centre, and the US Federal Bureau of Investigation warned^{[footnote 1]} that public and private organisations worldwide remain vulnerable to compromise from the exploitation of common vulnerabilities and exposures.

Cyber security risks are passed through supply chains. This can result in seemingly small players in a supply chain introducing disproportionately high levels of cyber security risk. This challenge is particularly relevant given the growing reliance of many organisations on companies who provide important essential digital services (such as outsourcing an organisation’s information technology or key business processes), often with privileged access to internal systems (collectively referred to as managed service providers). The attacks set out in the previous paragraph are a stark reminder that cyber security threat actors are capable of exploiting vulnerabilities in supply chains.

3.1 The Network and Information Systems (NIS) Regulations 2018

The NIS Regulations establish legal requirements on select organisations to boost the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of their services. The organisations covered are providers of essential services (in the transport, energy, water, health, and digital infrastructure sectors) and digital service providers (comprising online marketplaces, online search engines, cloud computing services). The NIS Regulations form a major part of the UK government’s legislative efforts to improve the resilience of UK critical infrastructure and services. Other essential sectors, such as finance and banking, were not included in the scope of the NIS Regulations due to the fact that, at the transposition stage, they were deemed to have had equivalent or better regulation already in effect.

The May 2020 Post Implementation Review of the NIS Regulations concluded that there was evidence to suggest that advancements are being made as a result of the NIS Regulations, which were expected to lead to a longer-term improvement in the security of network and information systems, raising their resilience and reducing the risk posed to essential services. Security improvements by operators of essential services and relevant digital service providers, through strengthened standards, processes and procedures, are being made at a faster rate than would have been expected without the introduction of the NIS Regulations.

However, the review also noted that there was scope for further improvement to the NIS Regulations. Although evidence suggests that improvements to security are being made, organisations need to accelerate their improvements. Areas such as supply chain management was highlighted as an issue by competent authorities and organisations in scope. Furthermore, there was a need to further develop and refine the wider enforcement regime, including improvement to the enforcement and information notices, as well to better underline and improve the role for the government to provide more support and guidance to competent authorities in specific areas. Other technical aspects, such as the implementation of a new appeal mechanism were also outlined.

Following the post implementation review, the government put forward legislative amendments to the NIS Regulations, to implement the recommendations of the Review. A public Call for Views on the proposed changes was published in September 2020, with the government’s response published in November 2020 and the changes implemented by a Statutory Instrument (SI 2020/1245), which came into force on 31 December 2020.

While these amendments have taken a number of recommendations forward and improved the regulations, there are a number of recommendations that could not have been implemented via secondary legislation; notably, the extension of a cost recovery model to include all regulatory action, improvements to the incident reporting framework, the addition of delegated powers to make secondary legislation to allow necessary updates to be made to the regulations in the future (whilst remaining within the scope of the regulations), and provisions to amend the scope of the regulations, all of which needing primary legislation to be implemented.

While these recommendations are not the only driver of the current proposals, they nonetheless remain a vital part of the government’s ambition to ensure that the NIS Regulations are appropriate and can effectively secure UK cyber resilience for essential services.

3.2 Proposed approach

It is essential that the UK continues to develop, adapt and strengthen its cyber resilience in the face of an evolving threat. As the Home Secretary said, in her speech to CyberUK in May 2021, cyber security issues are “[among] the most challenging and important issues we face as a country” and “cyber is now a core component of our homeland security mission […], we are taking a new, comprehensive approach to strengthen our position as a democratic cyber power.”^{[footnote 2]}

The proposals set out in this public consultation concern all organisations within the scope of the NIS Regulations, as well as other private and public entities that provide digital services (or a form of service) that an essential service relies on. They seek to address these issues through a comprehensive set of interventions that will act as a response to the gaps and threats outlined above (particularly within the NIS Regulations), and will mature into a longer-term vision for the protection of the UK’s essential services, critical national infrastructure, and the increase of wider cyber resilience across the economy.

This will contribute to the government’s vision for the UK to be a global cyber power, as outlined in the Integrated Review of Foreign, Defence, Security and Development Policy. In particular, it will enable delivery of the Integrated Review’s objective of ‘responsible, democratic cyber power’:

To build a resilient and prosperous digital UK, where citizens feel safe online and confident that their data is protected. We will enable the digital transformation of the UK economy, bolstering our cyber security and ensuring our people, businesses and organisations are empowered to adopt new technology, and are able to withstand and recover from cyber-attacks. We will continue to invest in the NCSC, address critical vulnerabilities in the public sector and our CNI, including our data and digital infrastructure, and ensure the lessons from cyber-attacks are acted upon.^{[footnote 3]}

The measures outlined in this consultation are divided into three ‘Pillars’, each aiming to address a specific objective:

Pillar I: Proposals to bring additional critical providers of digital services into the UK’s cyber security regulatory framework, ensuring that those providers who frequently have privileged access and provide critical support to essential UK services, have adequate cyber security protections in place, and can be regulated effectively and proactively;

Pillar II: Proposals to future-proof the UK’s existing cyber security legislation, primarily the Network and Information Systems (NIS) Regulations^{[footnote 4]}, so that they can adapt to potential changes in threat and technological developments;

Pillar III: Considerations for the standardisation of the cyber security profession, so that we embed consistent competency standards across the cyber profession.

This consultation covers Pillars I and II. Each measure under these pillars is outlined in greater detail below, covering the rationale for intervention, evidence base, and proposed approach.

The Pillar III proposals are being consulted on separately in a consultation on embedding standards and patheways across the cyber profession by 2025. That consultation is running in parallel with this one.

3.3 Summary of proposed measures

• Expand the scope of ‘digital services ’ to include ‘managed services’;
• Apply a two-tier supervisory regime for all digital service providers: a new proactive supervision tier for the most critical providers, alongside the existing reactive supervision tier for everyone else;
• Create new delegated powers to enable the government to update the regulations, both in terms of framework but also scope, with appropriate safeguards;
• Create a new power to bring certain organisations, ones that entities already in scope are critically dependent on, within the remit of the NIS Regulations;
• Strengthen existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents; and
• Extend the existing cost recovery provisions to allow regulators (for example, Ofcom, Ofgem, and the ICO) to recover the entirety of reasonable implementation costs from the companies that they regulate.

4. Pillar I: Proposals to amend provisions relating to digital service providers

4.1 Expanding the regulation of digital service providers

Summary

The proposal is to expand the scope of digital services regulated under the NIS Regulations to include “managed services” and for the providers of digital managed services to be subject to the same duties as other digital service providers.

Rationale for the change

The majority of digital managed services (for example security monitoring, managed network services or the outsourcing of business processes) are not currently within the scope of NIS Regulations^{[footnote 5]}. However, they play a central role in supporting the UK economy and are critical to the functioning, reliability, and availability of essential services in the UK. They are an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services.

Even more worrying, attackers can use managed services, and their providers, to gain access to clients at scale, potentially disrupting hundreds of companies and essential services at once, as well as accessing intellectual property, sensitive information, and critical data. These clients include companies across multiple sectors of the UK economy and critical national infrastructure. As such, with the potential to disrupt essential services at scale, cyber security vulnerabilities in managed services could constitute a considerable risk to UK national security and society.

Respondents to DCMS’s supply chain cyber security call for views (May 2021) highlighted how the reliance on managed services inevitably expands companies’ attack surfaces. Further to this, respondents noted that the most critical managed service providers can represent a systemic risk to the UK economy and society due to the scale and concentration of their services in the UK market. Despite these risks, there are currently very few mandatory cyber security-specific requirements for managed service providers in the UK market. While guidance is available to companies, such as that provided through the National Cyber Security Centre or the Cyber Essentials scheme, there is no minimum security baseline for managed service providers, unlike other key industries in the UK market. This has contributed to varied levels of cyber security across managed service providers operating in the UK.

In addition, with no baseline security expectations to refer to, it can be difficult for UK companies to demand increased security measures or oversight of managed service providers’^{[footnote 6]} security processes, especially when dealing with larger suppliers. As part of the DCMS supply chain cyber security call for views, the government asked participants to rate a range of policy options to promote the uptake of a future framework for managed service provider cyber security and resilience. 82% of respondents ranked “developing new or updated legislation” as being at least “somewhat effective”. 48% of respondents deemed legislation to be at least “very effective”. These findings show that many respondents and participants in associated industry workshops believe that the impact of voluntary guidance will be significantly limited unless it is mandated through legislation.^{[footnote 7]}

Given the strong support for new or updated legislation on the cyber security of managed services, the government has opted to prioritise the incorporation of managed services into NIS Regulations. This move would reflect the critical role that managed services, like operators of essential services currently included in NIS, occupy in the UK economy. Bringing managed services and their providers under NIS Regulations would provide a baseline for expected cyber security provision and better protect the UK economy and critical national infrastructure from cyber security threats.

4.2 How the measure would work in practice

Under this proposal, managed services would be added to the list of digital services that are regulated under the NIS Regulations. The aim is to capture a broad range of managed services defined by meeting all of the following characteristics:

• they are supplied to a client by an external supplier
• they involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems
• they are categorised as business to business (B2B) rather than business to consumer (B2C) services

and

• their provision relies on network and information systems

A non-exhaustive list of the proposed types of service the government is proposing to bring under the digital services provision under the NIS Regulations 2018 is provided in Annex 1.

Services which fit these characteristics would be regulated as “digital services” under the NIS Regulations 2018 and the providers of these services would be required to comply with the requirements and duties laid out in those regulations.

Responses to the DCMS supply chain cyber security call for views indicated that including a broad definition of “managed services” in the legislation may be challenging to industry in certain contexts. As a result, options for narrowing the scope of what is covered by “managed services” (and therefore regulated under the NIS Regulations) are being explored by DCMS.

The main approach being considered is introducing further risk-based characteristics to the definition of a managed service, and in doing so, ensuring the managed services brought into scope are those which would have the most substantial impact on the UK’s resilience should there be a disruption to their service.

Under this approach, as well as having the above characteristics, to be regulated as “digital services” under the NIS Regulations 2018 a service would have to:

• have privileged access^{[footnote 8]} or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems

or

• perform essential or sensitive functions, such as the processing and/or storage of confidential or business-critical data

It should be noted that there is a balance to be struck between developing a very specific definition and one that is more open to interpretation. Narrowing the definition would limit the scope of entities that could be brought into regulations. This reduces the number of entities involved but could have an impact on the UK’s resilience, should those entities provide services that pose a systemic risk. However, keeping the definition wide risks bringing too many organisations within scope of a regulatory regime, which might not be appropriate for them, and increases the regulatory burden for them and the regulator.

The existing exemption for small and micro-businesses from the digital service provisions of the NIS Regulations would be applied to managed service providers.^{[footnote 9]} Due to risks highlighted by recent incidents, DCMS are considering whether this exemption is still proportionate to the risk. The box below outlines this in further detail.

Managed services which are brought under the scope of regulation would be treated in the same way that digital services are and their providers would be treated in the same way that relevant digital service providers are. They will be required to register with the relevant competent authority (the Information Commissioner) and have appropriate and proportionate security measures in place to ensure that their own network and information systems are secure. They will also be required to report relevant incidents to their competent authority.

The requirement for international companies to designate a UK representative would also remain in place and apply to all newly captured managed service providers.

As is the case with other NIS sectors, the nature of the supervisory regime and further information on the security expectations for each type of digital service provider will be determined by the Information Commissioner’s Office (ICO) through guidance.

4.3 Small and micro-businesses

There is an existing exemption for small and micro-businesses in the digital service provisions of the NIS Regulations 2018.^{[footnote 10]} This will be applied equally to managed service providers.

The government recognises the strong need to minimise regulatory burden on small and micro-businesses particularly in a rapidly evolving industry such as this. However, recent incidents have highlighted the scale of risk that can be associated with managed service providers - regardless of their size. Disruptive events affecting small and micro-businesses who provide digital services to operators of essential services and critical national infrastructure can greatly amplify impacts due to the criticality of their customers.

In recognition of these risks, DCMS is looking at whether this blanket exemption is still proportionate to the risk. DCMS is exploring the option of allowing the competent authority to designate specific small and micro-businesses providing digital services to be brought into scope of NIS.

The process of designation would align with that used to designate critical dependencies, as outlined in Section 5. Decisions regarding this would take into account the same factors as outlined in Section 2. This power would only be used on a case by case basis, and the organisation in question may provide representations to the competent authority.

To inform the decision regarding this exemption, we welcome comments on the expected impacts of allowing a small number of small and micro-businesses that provide digital services to be brought into scope of NIS.

4.4 Costs and benefits

Benefits

Expanding the digital services regulated under the NIS Regulations to include managed services would improve the resilience of managed service providers bringing wide-ranging benefits to the UK’s security and economic prosperity, including:

• decreasing the likelihood of market disruption caused by breaches to managed services (such as intellectual property theft or service interruption caused by ransomware attacks) which can have a serious knock-on effect through UK supply chains
• deterring attackers and minimising the effects of criminal activities perpetrated via managed service provider access
• reducing the potential for incidents that constitute a serious threat to national security or society, due to the loss of an essential service through a failure in a managed service

This would be achieved by, firstly, reducing the number of incidents affecting managed service providers that have significant disruptive effects and, secondly, by reducing the impact of incidents through the preparation of appropriate incident response plans. These benefits would be expected as a result of the following direct outcomes of the regulation:

• increased cyber security among managed service providers
• greater awareness of the cyber security risks associated with managed service providers
• greater cooperation and information sharing between managed service providers, regulators and end customers
• increased cyber security for smaller businesses which disproportionately rely on managed service providers for specialist services that they would not be able to host themselves
• greater assurance over the cyber resilience of managed service providers
• increased cyber resilience in supply chains across the UK, including critical national infrastructure sectors
• a stronger deterrence for threat actors to target the UK’s managed service providers and wider economy

Costs

An expansion of the NIS Regulations to include managed service providers would incur financial costs on the entities brought into scope. These can broadly be expected to fall into three categories: one-off administrative costs, increases in cyber security spending, and on-going incident reporting costs.

• Initial administrative costs would be expected to be incurred by managed service providers as they familiarise themselves with the legislation and its implications for their firms. This would be expected to include cost for the time of both lawyers and IT professionals. In the NIS post-implementation review, a majority (73%) of relevant digital service providers reported costs to familiarising with the NIS Regulations and guidance documents following the introduction to NIS Regulations.^{[footnote 11]} This would therefore be expected to be a cost for managed service providers newly brought into the regulation.

• Increases in cyber security spending would be expected by managed service providers brought under regulation, in order to meet the security requirements set out by the ICO.^{[footnote 12]} There is both an ongoing and a one-time cost element in these costs, to reflect an initial improvement to meet the regulations, and an ongoing exercise to meet any changes to standards.

• On-going incident reporting costs would also be expected as managed service providers are newly brought under the NIS Regulation. As part of their obligations, firms will be required to report cyber security incidents that are above the threshold to the ICO. This is the same practice as the current NIS Regulations and was outlined in the original NIS impact assessment.^{[footnote 13]}

DCMS is aware that this measure will require the ICO to regulate substantially more firms than it currently does. This will increase the costs faced by the regulator as there will be an increase in the cost of overseeing a larger number of entities, responding to their enquiries and dealing with more incidents. Further funding from the government will absorb the initial cost of this new responsibility for the ICO, until a new funding scheme, created through the cost recovery measures set out later this consultation, comes into effect. DCMS is working closely with the ICO to ensure appropriate support is in place.

4.5 Questions

Q1. Do you agree that managed services should be brought into the scope of NIS Regulations? [YES/NO]

Q2. Do you agree with the examples of managed services proposed to be within or out of scope of the NIS Regulations, provided in Annex 1? [YES/NO]

Q3. IF NO AT Q2. Please explain the reasons for your answer [OPEN QUESTION]

Q4. Do you agree that the range of managed services brought into scope of NIS legislation should be defined by the following characteristics?

• A. They are supplied to a client by an external supplier [YES/NO]
• B. They involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems [YES/NO]
• C. They are categorised as business to business (B2B) rather than business to consumers (B2C) services [YES/NO]
• D. Their provision relies on the provider’s own network and information system [YES/NO]

Q5. IF NO AT A - D IN Q4: Please explain the reasons for your answer [OPEN QUESTION]

Q6. Do you agree that the definition of managed services subject to regulatory obligations under NIS should be narrowed further? [YES/NO]

Q7. How effective do you believe each of the government’s proposed options for narrowing the definition of managed services will be?

• Have privileged access or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems

• Perform essential or sensitive functions

• Very effective
• Somewhat effective
• Not at all effective
• Don’t know

Q8. Please explain why you believe each of the proposed options to be effective or ineffective. [OPEN QUESTION]

Q9. If VERY EFFECTIVE at Q7B please include specific essential or sensitive functions which you think should be included within a definition of managed services. [OPEN QUESTION]

Q10. Please suggest any further options for characteristics which could be applied to defining managed services. [OPEN QUESTION]

Q11. Do you think that the exemption for digital service provider small and micro-businesses should be modified to enable a small number of critical providers to be brought under scope of NIS Regulations? [YES / NO]

Q12. Please explain your answer. [OPEN QUESTION]

Q13. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

4.6 The supervisory regime for digital service providers

Summary

The government proposes to establish a two-tier supervisory regime for digital service providers in scope of NIS. This will involve a proactive (ex-ante) supervisory regime for the most critical digital services and a reactive (ex-post) supervisory regime for the remaining digital services regulated under NIS.

Rationale for the change

Certain types of digital services are essential to the operational continuity and resilience of UK organisations, including the government and critical national infrastructure. The providers of these digital services are key enablers of the digital transformation of the UK’s economy.

Recent high profile cyber attacks have shown that threats are increasingly reaching UK organisations through vulnerabilities in digital services provided by external providers, and by extension, their providers. When digital service providers are supplying services to organisations at scale and across multiple sectors, their vulnerabilities present a considerable threat to the UK’s national security and economic prosperity.

When the original NIS Regulations were developed, it did not foresee the rapid digitisation of recent years. As such, a more light-touch approach was set out in the policy towards the regulation of digital service providers, which does not reflect the criticality of some digital services and their providers today.

How would the measure work in practice

There are a large number of digital service providers operating multiple services within the UK economy. From a practical perspective, it is therefore necessary to differentiate between services that are critical to the UK’s resilience and those that do not carry systemic dependencies. The providers which supply the most critical services would be regulated on a more proactive basis, whilst the remainder would stay on a reactive basis.

Digital service providers regulated on a more proactive basis would be required to more actively demonstrate to the ICO that they have fulfilled their duties under NIS, including maintaining appropriate and proportionate security measures. Digital service providers under a reactive regime would have the same duties, but would only be subjected to a lighter-touch supervision.

To implement this, the government is proposing the development of criteria to identify the most critical providers of digital services. This is a similar approach to that used to identify the most critical operators of essential services within the NIS Regulations. The aim is to target those services and their providers that present the greatest systemic risk to the UK’s economic prosperity and national security.

These criteria would not be defined in detail in legislation, as the existing legislation already allows the ICO the flexibility to be proactive or reactive in its supervision of digital services providers. This will allow flexibility for the criteria to be adapted as the digital and security context evolves, without the need to change primary or secondary legislation. The criteria, which may include specific thresholds, would be defined by the ICO, with support where appropriate from DCMS. DCMS are working across government and with ICO and other regulators to explore options for developing these criteria, including options for alignment, where appropriate, with existing regulation or other government policy. Any such criteria would be subject to consultation by the ICO, in line with best practice.

In order to help shape the ICO and DCMS’s thinking about these criteria, the government would like to be as transparent as possible. DCMS is therefore proposing several options, set out in the following table, for consideration by relevant industry stakeholders. This includes a list of possible factors, alongside examples of how these could be formulated into specific criteria to be used by the ICO. DCMS’s aim is to establish an open, transparent and fair means of identifying the most critical digital services and their providers.

4.7 Summary

The following is a proposed list of factors that would be used to inform decisions regarding which digital service providers should come under a proactive rather than reactive supervisory regime. The decision about which providers should come under a proactive regime would sit with the ICO. This list of factors could potentially be defined in legislation alongside a requirement for the ICO to take these into consideration during such decisions. The ICO would be responsible for developing a set of more detailed criteria, which may include specific thresholds, based on these factors to inform their decisions about which providers should come under the proactive regime. DCMS would support the ICO in the development of these criteria as appropriate.

The more detailed criteria would likely be published by the ICO and/or shared directly with the digital service providers in scope of NIS. The ICO would retain the right to designate digital service providers that fall outside of this criteria.

Proposed list of factors: these factors include quantifiable characteristics of the provider (A-D), as well as more qualitative characteristics of those supplied by the provider (E-G) for the ICO to take into consideration.

• A. Market reach (i.e. the number of users relying on the service provided);
• B. Scale of service provided;
• C. Financial and/or revenue;
• D. Concentration in the market;
• E. The criticality of the clients supplied;
• F. The level of dependence of the clients on the service;
• G. The level of connectivity and access to the clients network;
• H. The likely consequences for national security if an incident impacts on the service.

Examples of potential linked criteria

The competent authority would develop more specific criteria based on the factors listed above to determine which providers should come under the proactive regime. The criteria listed below are illustrative examples of how these factors could be applied in practice:

• A. Market reach: e.g. average annual number of clients supported by a service.
• B. Scale of service provided: e.g. annual staff headcount of a service
• C. Financial and/or revenue: e.g. operators which derive [X%] or more of its annual revenue from the provision of digital services.
• D. Concentration in the market: e.g. the services provided are greater than a certain annual share of the managed service provider sector OR a critical national infrastructure sector
• E. The criticality of the clients supplied: e.g. the service supplies customers critical to the functioning of UK society, where disruption could have a significant impact including loss of life.
• F. The level of dependence of the clients on the service: e.g. the service is critical to the resilience of the end user, such that a disruptive event would have a high impact on the organisation’s activity. This should include considerations of the availability of alternative providers of the required service.
• G. The level of connectivity and access to the client’s network: e.g. the service provider has privileged access to the client’s network and information systems OR the service performs essential or sensitive functions, including the processing and/or storage of confidential business-critical data.
• H. The likely consequences for national security if an incident impacts on the service: e.g. the service is critical to ensuring state protection capabilities, such that a disruptive event would likely have a negative impact on national security.

Implementation considerations

The factors listed above can be split into two types: the first four (A-D) refer to characteristics of the digital service provider, the last four (E-G) relate to characteristics of those being supplied by the provider.

The first type, A-D, would be relatively straightforward to define and calculate. This is because they would be easier to quantify and the digital service provider and/or competent authority could provide most of this information. However, these factors would not necessarily be accurate indicators of the scale of impact should a disruptive event occur. For instance, a company may only have a small number of customers but these customers may provide essential services in critical national infrastructure sectors such as health or energy.

The second type, E-H, would ensure a more accurate understanding of the risk associated with particular digital service providers. However, these would be more challenging to define and would likely require analysis and data provided by the customers. DCMS are exploring options to align more closely with other government policies, particularly relating to critical national infrastructure, that may facilitate a more streamlined approach to collecting the necessary data.

Considering the challenges and limitations of both types of factors, the government proposes using a combination of the two to enable a proportionate, risk-based approach.

Other implementation considerations include the extent to which factors should be incorporated in legislation as opposed to guidance. Through the approach proposed, we intend to provide as much transparency and clarity as possible on the reasons why a provider may come under the proactive regime while still allowing for sufficient flexibility to adapt the specific criteria to evolving risks and technology.

4.8 Role of the ICO

Under this measure, the ICO would continue to provide guidance on cyber security practices and measures for all digital service providers. Relevant digital service providers within scope of the NIS Regulations are required to register with the ICO and report any cyber security incidents to the ICO. For the vast majority of registered digital service providers, the ICO would only provide reactive supervision - providing advice and guidance which digital services providers must comply with, but only taking regulatory action when there has been an incident, or a credible report of an incident or failure to implement the requirements of the Regulations.

However, the ICO would adopt a more proactive role in the supervision of a limited group of the most critical digital service providers, in a similar fashion to the regulatory regime for operators of essential services. This means that the ICO would proactively monitor and investigate whether those service providers are able to demonstrate they have fulfilled their duties under NIS.

Those organisations will be expected to cooperate and work with the ICO to ensure that the ICO has an adequate understanding of their security measures, in order for the ICO to make reasonable decisions regarding their implementation of the requirements of the Regulations. The ICO would be able to require information to support the function of its duties and would be able to carry out inspections as and when necessary.

This is a direct advantage over the current light-touch, reactive, approach. It will ensure that the most critical digital service providers are accountable for any measures taken prior to an incident occurring. This will drive up standards, making it more difficult for attackers to carry out high profile attacks in the UK. It will also provide greater assurance to the customers of those digital service providers, some of whom are critical to the workings of the UK.

The ICO, as set out above, would also be responsible for developing the criteria to identify which digital services would be considered the most critical and which digital service providers would fall under proactive supervision based on the factors cited above. DCMS would provide support to ICO in the development and subsequent review of these criteria, as appropriate.

Furthermore, there may be opportunities for cross-sectoral collaboration with sectoral initiatives either within or outside of the NIS framework when it comes to establishing thresholds for inclusion or identifying the most critical digital services, for example in the financial services sector, where digital services play a critical role.

The success of this proposal is not contingent solely on competent authorities and providers, however; it is important for customers and suppliers to cooperate in order to effectively manage shared cyber risk. The importance of this cooperation was highlighted by respondents in DCMS’ 2021 Supply Chain Security Call for Views.

The government recognises that cooperation between digital service providers and their customers is a necessary and complementary step towards better cyber security and cyber resilience. While organisations in scope must fulfil their duties to protect their essential services, their customers need to be equipped with the right tools and information to make informed business- and risk-informed decisions.

Many of these decisions cannot be made without information from the digital service provider. Digital service providers need to keep their customers informed about the standards that they themselves comply with, and provide any reasonable information that customers might need to take in order to maximise their resilience. Consequently, the government will consider, alongside this proposal, whether further guidance on supplier-customer cyber resilience cooperation will be necessary, particularly in respect to those providers subject to a proactive supervisory regime.

4.9 Costs and benefits

Benefits

In the long term, this measure would make it more difficult for attackers to carry out high profile attacks in the UK, reducing the risks of harm to the UK’s society and economic prosperity by protecting critical services. This objective would be achieved by:

• allowing the ICO to focus its resources on those digital service providers that carry the highest level of risk to the UK’s cyber resilience through a two-tiered supervision system that brings only the most critical service providers under proactive supervision
• providing the market with greater assurance over the resilience of the most critical digital service providers
• increasing the resilience of supply chains across the UK, including critical national infrastructure.

Costs

In adopting a more proactive supervisory approach for the most critical digital service providers, the ICO will likely incur additional costs associated with the ongoing monitoring of these entities. These will include the cost of evidence collection, review, analysis and feedback. Costs will also be incurred in the ICO’s additional responsibility of designating entities for proactive supervision. This responsibility will require the ICO to develop the criteria for determining the most critical entities, and identify the entities that fit these criteria. DCMS recognises that this will be a challenging and complex task and intends to work closely with the ICO to ensure that appropriate support is in place.

Digital service providers which are designated as “most critical” will also likely experience increased costs in compliance reporting. While only 48% of operator of essential services reported additions in the cost of the compliance reporting in the NIS Post-Implementation Review^{[footnote 14]}, it would be assumed all digital service providers in a proactive supervisory regime would incur these costs over time.

The familiarisation cost has not been quantified at this stage, as it is unclear how many of those firms that are proactively supervised will be managed service providers. Managed service providers will have their familiarisation cost included in the measure to expand the definition of digital service providers.

4.10 Questions

Q14. Do you agree with the Government’s proposal to specify a two-tier supervisory regime for providers of digital services? [YES/NO]

Q15. Do you agree with the Government’s proposal to define the factors that the ICO should take into consideration as part of the two-tier supervisory regime? [YES/NO]

Q16. Do you agree that further guidance on supplier-customer cyber resilience cooperation is necessary, particularly as part of a supervisory regime for the most critical digital service providers? [YES/NO]

Q17. How effective do you believe each of the government’s proposed options for factors would be in ensuring the digital services most critical to the UKs resilience are captured?

• A. The criticality of the customers supplied
• B. The level of dependence of the customer on the service
• C. The level of connectivity and access to the customers network
• D. Market reach (e.g. average annual number of clients supported by a service)
• E. Scale (e.g. annual staff headcount of a service)
• F. Financial
• G. Concentration in the market

• H. The likely consequences for national security

• Very effective
• Somewhat effective
• Not at all effective
• Don’t know

Q18. Please explain why you believe the proposed options to be effective or ineffective. [OPEN QUESTION]

Q19. Do you have any suggestions for alternative factors that should be considered? [OPEN QUESTION]

Q20. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

5. Pillar II: Proposals to future-proof the UK NIS Regulations

5.1 Delegated power to update the NIS Regulations in the future

Summary

To provide ministers with the power to make changes to the NIS Regulations through secondary legislation, without changing the current remit of the Regulations (i.e. the expansion of the scope of the legislation, for example, would be out of scope).

Rationale for the change

The UK government has no power to make policy updates to the NIS Regulations directly; any amendment, however small, must be done via primary legislation. As the NIS Regulations concern a sector that is continuously developing at a high speed, it is imperative that the regulations remain relevant and up to date in order to be effective.

It is highly likely that future amendments will continue to be required under the NIS Regulations; firstly, the advance of new technologies, threats, and new approaches that threat actors may employ will require the regulations to be flexible and agile enough to respond to them. Secondly, as the regulations are constantly reviewed (either informally or via statutory reviews such as the Post-Implementation Review), it is likely that improvements will be identified, either to reduce burdens, consolidate processes, or add new provisions to make them more effective.

In the absence of a power to enable changes to be made by secondary legislation, the government would need to introduce a Bill to make even the smallest of policy or technical changes to the NIS Regulations. The power previously used to amend the Regulations was Section 2(2) of the European Communities Act 1972, but that has now been repealed as a consequence of the UK’s withdrawal from the EU. There is a risk that such small amendments would be overshadowed by other important policy initiatives in government and Parliament and thus, will likely lead to being implemented very slowly.

Regaining the ability to make improvements to the Regulations by secondary legislation is vital to the well-functioning of the NIS Regulations in the future. As the post-implementation review stated ‘It is important that the government maintains the powers to amend the regulations, in order to adapt them to better suit the needs of industry and the government in the future.’^{[footnote 15]}

5.2 Case study

The NIS Post-Implementation Review set out a number of recommendations following the assessment of the efficacy and utility of the regulations in May 2020. Many of these recommendations (those that did not need primary legislation to be implemented) were taken forward by the government via a statutory instrument that was laid in November 2020 and which came into force on 1st January 2021.

One of the recommendations was that the regulations should have a statutory appeal mechanism, as the previous process (the ‘Independent Reviewer’) was deemed to be inconsistent across all NIS sectors and too burdensome for operators and regulators alike.^{[footnote 16]}

Following a public consultation on the proposals, Statutory Instrument 2020/1245 implemented a new statutory appeal system under the jurisdiction of the General Regulatory Chamber of the First-tier Tribunal, following the Rules of Procedure of the General Regulatory Chamber. The instrument also made changes to the list of appealable matters in the regulations, allowing regulated organisations to put forward appeals to a wider range of decisions made by competent authorities.

This example illustrates the necessity of making improvements to the NIS Regulations; as the legislation has been in force for only three years, many of its provisions have not yet been tested (such as formal enforcement processes, penalties, and many others). Future reviews may also yield further recommendations to improve the functionality of the regulations, resolve any potential gaps, and reduce burdens or consolidate processes. Without a delegated power to make legislation, such amendments would not be possible.

Without the power to make updating changes to the regulations via secondary legislation the NIS Regulations in the UK risk being less effective, as emerging threats to the security of networks and information systems cannot be counteracted if the Regulations do not allow regulators to intervene as necessary or are not effective enough to capture those issues.

It is proposed that the power be limited in terms of what aspects of the NIS Regulations it can be used to amend and also that safeguards are applied to the exercise of the power. These are set out below.

As there has already been the need for changes since the NIS Regulations came into effect, exemplified by the outcomes of the first post-implementation review, it is highly likely that the evolving cyber security landscape will require further changes to the regulations to remain effective.

Note that the power is intended to allow changes to be made to the NIS framework; this includes the provision to make changes to Commission Implementing Regulation (EU) 2018/151 (retained EU law), as it governs the security duties of digital service providers in the UK.

How would the measure work in practice

Delegated power would allow the government to update and amend the NIS Regulations without requiring an Act of Parliament, subject to certain restraints and limitations outlined below. Any amendments which would expand the scope of NIS or change the purpose of the regulations would be outside the scope of the proposed power.

The power proposed by this measure would enable amendments to be made by government using secondary legislation to a number of aspects of the regulations; this may include, but is not limited to: the national framework (Part 2 of the NIS Regulations), operators of essential services (Part 3), digital services (Part 4), and enforcement and penalties (Part 5)^{[footnote 17]}, as well as to the UK version of the Commission Implementing Regulation 2018/151 which covers (i) the elements to be taken into account when ensuring levels of security; and (ii) parameters for determining if an incident has a substantial impact in relation to digital service providers.

Amendments would be limited to matters already covered by the existing NIS regime and could not be used to amend any of the fundamental principles underpinning the NIS Regulations. Amendments would only be made where there is evidence that amendments are needed to improve the functioning of the NIS Regulations.

Safeguards

The proposed measure will include safeguards to ensure that the power is used appropriately and proportionately and that it cannot be used in a way that goes beyond the policy objectives of the original regulations. These safeguards are yet to be fully finalised, but will include steps such as a requirement to consult and produce impact assessments as appropriate. These will be included in the legislation to ensure that there is transparency. They will be aimed at limiting the application of this power, to allow amendments to improve its work/application, without expanding its scope or purpose.

Duty to consult

In addition to the safeguards, we will also include a duty to consult on any proposed changes in the future through this delegated power. The consultation would necessarily have to include those stakeholders that would likely be impacted by the change.

As the power is meant to stay within the existing policy limits of the NIS Regulations (and as some amendments may be security-sensitive), the government may decide to consult operators of essential services and digital service providers separately (and in confidence so as not to jeopardise their security) alongside any public consultation on the proposed amendments.

Costs and benefits

The main benefit of this measure is that the UK government would have the ability to react quickly and effectively to changing threats in the cyber security landscape. This will enable the NIS Regulations to remain nimble and effective in protecting network and information systems. The consequence of not having a power by which the existing regime may be updated could be that the Regulations stagnate and become less effective over time; equally, making small changes through Acts of Parliament may unnecessarily delay other government initiatives and take valuable parliamentary time unnecessarily, as the amendments would not represent a fundamental change to the principles of the NIS framework.

As this measure does not make any immediate changes, instead giving the UK government the power to make changes to the Regulations, there are currently no tangible costs to the measure. In the future, any updating amendments made to the Regulations may have costs associated with them, but these costs will be fully considered under a relevant impact assessment.

5.3 Questions

Q21. Do you agree with the UK government having power to amend certain elements of the NIS Regulations and the UK version of the Commission Implementing Regulation 2018/151 through secondary legislation? [YES/NO]

Q22. Do you agree with the safeguards and limitations proposed in this document? [YES/NO]

Q23. IF NO AT Q22: Which safeguards do you consider to be inappropriate for this proposal? [OPEN QUESTION]

Q24. Are there any other safeguards or limitations that you feel that the government should consider? [OPEN QUESTION]

Q25. Are there any areas of the NIS Regulation in the UK which you think should not be included in the delegated power? [YES/NO]

Q26 IF YES AT Q25: What area(s) should not be included and why should it not be updated using secondary legislation? [OPEN QUESTION]

Q27. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

5.4 Delegated power to amend the scope of the NIS Regulations

Summary

To create a power that would allow the government to change the scope of the NIS Regulations to include new sectors. This could be used to change existing NIS sectors and sub-sectors or to add new sectors and sub-sectors in the future.^{[footnote 18]}

Rationale for the change

There are a number of reasons why the scope of the NIS Regulations may require review in the future:

• Currently the sectors under the NIS Regulations are limited to those that were originally set by the Directive in 2016. Sub-sectors are limited to those that the UK deemed critical in 2018, when the NIS Directive was transposed into national legislation.
• It is necessary to remain agile and be able to respond accordingly, mainly due to the potential emergence of new technologies, more sophisticated threat actors, or new national objectives.
• New sectors and sub-sectors that are critical to the delivery of the UK’s essential services, can emerge or existing sectors can rise in importance, and those sectors are not included in our cyber security regulatory frameworks.

The proposal in Pillar 1 relating to the expansion of the NIS Regulations to cover managed service providers, in light of the vulnerabilities to essential services that have emerged recently, is a prime example of why the NIS Regulations may require refining in the future. It is important to ensure that threats to networks and information systems in sectors that provide important services to the UK economy and society are protected.

Delegated power to make changes to the NIS Regulations were also underlined as a potential gap by the post-implementation review of the NIS Regulations, in May 2020. While the provisions above deal with updating powers for the existing legislative regime, it is important that a delegated power to amend the scope of the regulations is considered.

While the government is not suggesting putting forward any further specific sectors that would become part of the NIS regulatory landscape at the moment, this is an appropriate time to introduce such a power. It is necessary to ensure that such amendments (either as a consequence of the upcoming NIS post-implementation review 2022 or any other national assessment, strategy or subsequent review) can be made swiftly and effectively, whilst also giving sufficient time for consultations, assessments and preparations of the relevant sectors to be brought into scope.

Examples of such sectors (for illustrative purposes only and subject to further assessments and consultation) include electric vehicles, waste water, data centres, organisations providing aggregation services in the energy sector, energy management and demand response services (e.g. electric chargepoint operators), heat pumps, batteries, manufacturing (particularly the manufacturing of electronic hardware and software, and chemicals, and any products that could be considered essential, such as pharmaceuticals and medical devices used within healthcare), construction, and education.

A lack of regulatory oversight to ensure that these sectors are maintaining adequate cyber security protection leaves the UK open to increased cyber security risks. It must be stressed - these sectors exemplify other avenues where services that are essential to the security and prosperity of the UK may require further support and intervention. Sector-specific engagement would precede any proposed extension to NIS.

It is critical that the UK government can adapt its regulatory framework, to protect UK citizens and the services that they rely on. Crises such as the Covid-19 pandemic highlight the need for this agility, when vital sectors across Europe such as vaccine manufacturing have been liable to attacks. In the rapidly evolving cyber security landscape, this measure would help future-proof the regulations.

How would the measure work in practice

The measure would take the form of a delegated power, by which the UK government may make amendments to the NIS Regulations in order to vary the sectors and sub-sectors which are in scope of the Regulations, including adding new sectors and sub-sectors. The power would be subject to appropriate safeguards and limitations, to ensure that it is appropriate, proportionate, and does not go beyond its intended objective.

To this end, the government is proposing to include a number of additional aspects to the delegated power:

• 1. Establish evidence for adding, removing, or expanding sectors or sub-sectors

The identification of new sectors and sub-sectors, as well as the expansion of the definition of existing sectors, will be kept under review and informed by national priorities for the provision of essential services within the UK, including critical national infrastructure, and future national assessment of risk where regulatory intervention is necessary and proportionate to reduce the likelihood of a significant disruption to UK citizens and businesses. Guidance will be provided to competent authorities to support this.

The policy approach will also consider options to avoid regulatory overburdening. Primarily, any assessment made under this provision will need to consider existing regulation in the proposed sector, and assess whether it is reasonable to expand NIS to the respective sector. This is particularly relevant where sectors are already covered by relevant legislation (such as Public Telecoms, Finance or Banking) that is aimed at protecting their security of networks and information systems.

• 2. Include safeguards to limit the extent of the delegated power

Safeguards are important to ensure the power is used appropriately and is not subject to any misuse. The government proposes that such safeguards should ensure that any decision-making regarding the use of this power be informed by evidence, and that such evidence consider both the necessity of expanding the application of NIS to other sectors and sub-sectors as well as the impact (financial or otherwise) that such an expansion would have on those organisations brought into scope.

Safeguards should also consider the views of interested and affected parties, as well as the wider public. Such consultations are an important tool in developing national policy that is relevant, appropriate, effective, and reflective of a wide range of views from all sectors and all walks of life.

If any amendments would concern areas of devolved competence, in line with the government’s commitment to strengthen the Union, the devolved administrations will be consulted directly.

Costs and benefits

An expansion of the NIS Regulations to other sectors would incur financial costs on both the government (and public bodies / regulators) and the private or public entities that would be brought into scope. These costs would be similar to those incurred at the first stage of implementation of NIS Regulations in 2018. The 2018 impact assessment of the NIS Regulations provides a thorough breakdown of such costs, i.e. familiarisation and competent authority costs businesses would incur.^{[footnote 19]}

Adding a new sector could potentially entail the creation of either a new regulator, or the familiarisation costs to support an existing regulator to implement NIS Regulations. Government would need to front the initial costs of implementation until they can be retrieved from regulated bodies.

A full cost breakdown of expected costs is included in the pre-consultation impact assessment, attached to this document.

5.5 Questions

Q28. Do you agree with the government’s proposal for a delegated power that would allow the government to amend the NIS Regulations to expand the scope of the NIS framework? [YES/NO]

Q29. IF NO AT Q28: Please explain your answer. [OPEN QUESTION]

Q30. Do you agree that this measure should contain safeguards and limitations? [YES/NO]

Q31. IF YES AT Q30: What safeguards and limitations do you think should be in place? [OPEN QUESTION]

Q32. Do you agree that there are benefits in additional sectors (such as those examples listed in the rationale section) being designated under NIS? [YES/NO]

Q33. If YES AT Q32: What benefits do you see in additional sectors being designated under NIS? [OPEN QUESTION]

Q34. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

5.6 Measure to regulate critical sectoral dependencies in NIS

Summary

To create a new power to designate critical suppliers or services, on which existing essential and digital services depend, bringing them directly into scope of the NIS Regulations. The services provided by designated entities would then fall under the remit of the NIS Regulations and they will be required to take appropriate and proportionate measures to secure them.

Rationale for the change

Some NIS sectors are dependent on underlying services, without which the essential service would not be able to operate. At present, the NIS Regulations only apply to organisations directly providing an ‘essential service’, such as those which are distributing water or generating electricity. Even though an essential service might wholly rely on another supporting service, it is not currently possible to ensure that this ‘dependency’ is adequately secure from a cyber security perspective and there is no statutory obligation to protect these services against cyber attacks.

These ‘essential services’ are too important to fail and the current approach of relying on commercial or contractual relationships between the third party suppliers or services and the overarching essential service provider to ensure supply chain security is not enough. More robust requirements to ensure minimum cyber security standards are required.

The following example seeks to outline the types of entities the proposal would capture and is illustrative only. In the health sector, healthcare providers might consider outsourcing their IT services to third party companies. Those third party suppliers, because they are not directly providing healthcare services, are not within scope of the NIS Regulations. Oversight of their services and their security is limited to contractual obligations between the third party supplier and the relevant NHS trust.

A significant disruption of such outsourced IT services would very likely have a direct and substantial impact on the ability of the healthcare provider to continue offering their services. Under this proposal, the third party supplier would be brought within the scope of the NIS Regulations and would be required to comply with the security requirements of the NIS Regulations.

Organisations within a single sector, or that operate across multiple sectors, can introduce risks to the ongoing operation of essential services. Critical dependencies can arise due to a range of factors, which may be specific to a sector or apply to more than one. For example, critical dependencies could arise through: the wider supply chain, an organisation’s position in the market and/or the organisation’s relationship with an operator of an essential service.

Although an essential service may utilise a number of underlying services, ‘critical dependencies’ may occur where there are a limited number of suppliers of the underlying service, especially if the services that these suppliers provide are not easily interoperable or substitutable. As the essential service is reliant on the continued operation of the critical dependency, this introduces cyber security risk and could make these dependencies vulnerable to attacks from malicious actors.

The services in question would not necessarily be restricted to ‘digital services’, and could refer to, for example, the continuous supply of a consumable resource such as a raw material, fuel or chemical relied upon by a NIS sector. Given the cyber security focus of the NIS Regulations, non-digital services would only be appropriate candidates for designation as critical dependencies if they relied on network and information systems for their continuous provision, and therefore, the continuity of the essential service could be disrupted by an incident involving the supplier’s network and information systems.

How would the measure work in practice

The government would be granted a power to designate entities as ‘critical dependencies’, in response to competent authority recommendations. These organisations would then have to comply with the same duties as the operators of essential services.

What amounts to a ‘critical dependency’

To be considered a ‘critical dependency’, as a minimum:

• the organisation in question must supply a service that at least one operator of an essential service identifies as being dependent on in order to provide its essential service
• provision of the service must rely on network and information systems
• the competent authority must conclude that an incident affecting the supply of that service by that person is likely to have significant disruptive effects on the provision of the essential service

Following this, the proposal seeks to ensure critical dependencies underpinning essential services are identified and managed, in line with guidance on the identification and classification of critical national infrastructure and assessments around national security risks, in order to ensure that such decisions would be proportionate and that there is consistency across sectors. Guidance will be provided to competent authorities to support this.

Step 1. Establish criteria for identifying critical sector dependencies

Legislation would set out the minimum criteria for competent authorities to consider when identifying critical dependencies for their sectors (blue box above). Competent authorities will be expected to arrive at their own judgments about whether these criteria have been met.

To aid consistency and transparency in decision making across different sectors, the proposal will also set out a range of factors which the competent authority must have regard to in reaching its decision. Such factors might include the number of operators relying on a single organisation for a critical service, and the potential impact of an incident in terms of scale and severity. No quantitative thresholds would be set for these factors, but competent authorities would be required to consider the factors in their assessment before making any recommendation for designation.

Step 2. Undertake sectoral assessments to identify critical sector dependencies

In order to identify critical sectoral dependencies, competent authorities would need to undertake risk assessments of their sectors. While legislation will set out minimum criteria and any factors which must be taken into consideration, it will be for competent authorities to determine their own process for undertaking sectoral risk assessments, aligning closely with frameworks around critical national infrastructure and national security risks, and to set that process out in government guidance adapted for their sectors.

In practical terms, this will involve sector regulators working with operators they regulate to identify the supporting services that the essential service is reliant on, identifying what organisations supply these services, and then assessing whether network failures at any individual organisation identified could result in a significant disruption to the essential service provided by that sector.

A similar process would be used to identify cross-sector dependencies. This is discussed in more detail below. It should be noted that this is a discretionary power. Competent authorities will not be mandated to undertake sectoral risk assessments, and would only need to do so if they consider it to be necessary to use this provision.

Step 3. Engage with organisations that would potentially be designated

Once a critical dependency is identified, the competent authority must engage with organisations in question, to confirm that the organisation’s continuous operation is critical enough to require designation as a ‘critical dependency’. Any organisation that is identified as potentially representing a critical dependency must be consulted and given an opportunity to make representations before a final decision is made.

Step 4. Nominating critical sector dependencies for designation by the government

On the basis of the sectoral risk assessments, NIS competent authorities would formally nominate critical sector dependencies to be designated by the government. A government minister would review all the necessary information and either formally designate the entity or refer it back to the competent authority for review.

Step 5. Holding organisations that represent critical dependencies responsible for their cyber security

Once designated, critical dependencies would effectively be brought under the scope of NIS and would be subject to all the same duties as operators of essential services. This includes the security duties that require organisations to have appropriate and proportionate security measures in place to protect their network and information systems, and incident reporting duties.

Cross-sector dependencies

In addition to critical dependencies identified within individual sectors, the government proposes to allow this power to be used to designate organisations identified as dependencies for multiple sectors. This would include organisations that are only deemed ‘critical’ when their supply relationships are considered across multiple NIS sectors in aggregate.

In such cases, the government will follow the same approach as set out above, drawing on risk assessments undertaken by individual sectors to identify where critical supporting services, and the organisations supplying them, appear across multiple sectors. The assessment of whether an organisation could cause a significant disruptive effect would then consider the risk posed and potential impact in aggregate across those sectors.

Where multiple sectors identify the same critical sectoral dependencies, or the government identifies additional cross-sector dependencies, a single competent authority will be determined to avoid duplication of regulatory oversight. The government, in consultation with the relevant competent authorities, will determine the most appropriate single competent authority to oversee an organisation on a case-by-case basis. Considerations might include the sector of the organisation in question, the sector which is most dependent upon its services, and will require consultation between relevant competent authorities and with the organisation itself.

Any duties set out in this measure will only apply to those elements of an organisation that support the service that the essential service is reliant on.

The aim of this measure is to mitigate and manage risks posed by organisations that do not currently fall within the scope of the NIS Regulations, and are therefore not subject to the same statutory security or reporting duties. No organisation already under the remit of the NIS Regulations would therefore be designated under this measure, as this would bring no additional benefit.

Similarly, there may be little value in designating organisations in heavily regulated sectors, which are already subject to equivalent or more stringent regulatory requirements. Designation decisions would be made on a case-by-case basis. We do not propose to include any explicit sectoral exemptions, but it is not envisaged that this power would be used to designate organisations in sectors where there are already equivalent regulatory powers and oversight. For example, organisations in the finance sector, which are subject to equivalent arrangements are unlikely to be designated. In these cases collaboration between respective regulators would be more appropriate, and would be pursued before resorting to designation.

Costs and benefits

The main benefit of this measure is that it will allow the government to ensure critical services currently outside the scope of the Regulations, and the organisations that supply them, are subject to regulatory oversight. This will close a significant gap in competent authorities’ ability to secure the totality of the network and information systems on which their sector depends.

This measure may bring increased regulatory requirements on competent authorities if they deem it necessary to both identify and then oversee critical dependencies, which will result in additional costs. Organisations designated as critical dependencies will also be required to meet higher security requirements which may result in increased costs.

As mentioned above in relation to the expansion of the regulation of digital service providers, there will be some costs for newly designated entities arising from familiarisation with the regulatory regime, although familiarisation costs are estimated to be significantly smaller for this measure as fewer entities will be affected. Competent authorities will not be mandated to identify all sector critical dependencies.

A full impact assessment is planned for 2022 and the pre-consultation impact assessment has been published alongside this paper, outlining the department’s early assessment of the impact of the proposal on the economy.

5.7 Questions

Q35. Do you agree that the government should be granted the power to designate critical dependencies? [YES/NO]

Q36. Please provide any suggestions for changes or an alternative approach that would allow for the designation of critical dependencies. [OPEN QUESTION]

Q37. Are there any additional safeguards that you think are necessary? [OPEN QUESTION]

Q38. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

5.8 Additional incident reporting duties beyond continuity of service

Summary

Expanding the incident reporting requirements under the NIS Regulations to include incidents that do not actually affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entities in question and the essential services they provide (e.g. ransomware attacks).

Rationale for the change

To date, there have been very few cyber security incidents reported under the NIS Regulations. This is in stark contrast with incident numbers known by the government and operators of essential services. While it is possible to lower the thresholds (e.g. the numerical criteria setting out at what level of impact an incident is reportable) via statutory guidance, the regulations currently limit reporting of cyber security incidents to only those that affect continuity of service.

This means that under the current incident reporting regime, significant cyber security incidents are not reportable if they do not impact the provision of the essential (or digital) service. For example, a ransomware attack that encrypted the personal files and systems of a company, but did not affect critical service would not be required to be reported. Such a breach could leave the operator vulnerable to follow-up attacks which could impact on the continuity of the service, and create opportunities for other threat actors to follow suit. It is imperative that such significant incidents are reported.

The government is aware of a number of incidents that do not meet NIS or UK GDPR definitions or thresholds, and yet have been serious enough to warrant, in a reasonable scenario, competent authorities and law enforcement to have been informed of. Early reporting of such incidents can help national authorities support the affected operator, alert other operators who may be vulnerable to the same type of attack, or pursue threat actors through existing legislation. While competent authorities have voluntary reporting schemes in place, take up of these has been very limited. As a result the competent authorities have not been adequately sighted on the threat landscape, limiting their ability to provide wider sectoral support.

For example, in the March 2021 attack on Microsoft, their Exchange server (governing their email, calendar, contact, scheduling, and collaboration platform) was compromised. This could have led to an attacker gaining a deeper foothold into the victim’s networks through this route. While such an attack would not necessarily have reached the reporting requirements under NIS (for services in scope, such as cloud computing), the fact that the breach leaves the victim open for follow-up attacks by taking control over their networks represents a direct threat to the continuity of those essential services.

Microsoft was able to respond quickly and effectively to this; other providers will not necessarily be as prepared and prior knowledge of these incidents would allow regulators not only to support the victim, but ensure other entities are able to rectify vulnerabilities before the service can be affected or before other operators are put at risk. This seeks to illustrate that incidents that do not affect continuity of the essential service still represent a significant threat, and the sooner regulators are informed, the quicker they are able to provide support and guide operators to take appropriate actions to mitigate further damage.

As many organisations, including the UK government, rely on (and still run) versions of these services, notification of such an incident would also be extremely valuable in bringing attention to other vulnerabilities, and would allow the government and regulatory authorities to take action.

It is vital that the Regulations can require operators to disclose such important events, so that the regulators are able to request that the entities take appropriate action to mitigate those risks. More active reporting will support policy development with consistent underpinning of evidence. Examples of other upcoming bills that seek to capture potential incident reporting include the Telecommunications (Security) Act^{[footnote 20]}, the Australian Security Legislation Amendment (Critical Infrastructure) Bill 2020^{[footnote 21]}, as well as the EU’s NIS 2.0 proposal. This demonstrates how reliance on continuity of service as a threshold for reporting is inadequate.

How would the measure work in practice

Broadly, the measure seeks to include new duties for operators of essential services and relevant digital service providers in regard to incident reporting. The NIS Regulations will be amended to introduce a new requirement on operators of essential services and relevant digital service providers to report security incidents that have an impact on the security of network and information systems underpinning the provision of an essential service do not affect the continuity of that service.

In line with the practice around the duties to notify incidents already in effect, the nature and types of incidents that have an impact on the organisation but do not actually impact on the continuity of the service will be set out in guidance and will focus only on those types of incidents that are significant enough to warrant increased scrutiny in order to protect the provision of the essential service.

We should also reiterate a point made clear in the original 2017 government consultation on the NIS Regulations, in an effort to reassure operators: suffering and then reporting an incident does not automatically lead to enforcement action. Incidents are, to some extent, unavoidable. The most important aspect of any incident is whether reasonable and proportionate measures were in place to prevent such an incident.

New indicative minimum thresholds for reportable incidents

The duty to report this new range of incidents will be included in the legislation and the specific sectoral thresholds for reporting will be set by the competent authorities through sectoral guidance, as is the case currently for all other incidents. Consideration will have to be given to the appropriate level of reporting, to limit the burden on industry and competent authorities and to ensure the right level of intelligence is captured.

The government proposes that the new incident reporting requirement is:

Any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service.

Competent authorities will work and agree the specific thresholds with operators of essential services and relevant digital service providers. Competent authorities and the government understand that effective incident management and monitoring systems receive thousands, if not hundreds of thousands of alerts every day, and have no wish to burden themselves or operators with a requirement to report all of these incidents. A triage system will need to be put in place to identify only the more serious and threatening incidents.

It should be reiterated that incident reporting under the NIS Regulations is a regulatory function - not an incident management function. The purpose of the incident report is to allow the competent authority to understand the nature and impact of the incident, so that it can assess whether any further regulatory action is necessary, not to enable it to carry out incident response activities. Competent authorities would then share this information with the NCSC as required under the regulations.^{[footnote 22]}

It is probable that the impact of incidents affecting the security of network and information systems of organisations in scope would not be limited to the NIS Regulations. Incidents can also impact on other regulatory regimes, such as data protection or the payments services directive. Where such instances arise, regulators are encouraged to work together to minimise the reporting burden on the organisations (as is the case under the existing regulations).

Costs and benefits

The measure will incur additional costs for both competent authorities and operators in scope of NIS. It will result in additional reporting requirements for NIS regulated bodies. Competent authority workload would also increase as a result of additional incident report-processing, and all following interventions.

The key benefits of this amendment legislation would be that competent authorities will be better well-informed of the threat landscape i.e. the incidents and the risks that regulated organisations are facing. It would also improve regulators’ visibility of security measures implemented by operators of essential services and relevant digital service providers to mitigate such threats.

It would assist competent authorities to drive targeted proactive engagement across the regulated communities. It would inform policy decision-making, as competent authorities will have the ability to identify emerging risks and take steps to raise awareness and provide relevant guidance to regulated communities. Ultimately this will enable the authorities to drive better security behaviours in their respective sectors, which will diminish the risk of threats materialising into actual disruption of essential services.

5.9 Questions

Q39. Do you agree with expanding incident reporting duties to include incidents that do not affect continuity? [YES/NO]

Q40. Please explain your answer. [OPEN QUESTION]

Q41. Do you agree with the below proposal for the additional incident reporting requirement? [YES/NO]

“Any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service.”

Q42. Please explain your answer. [OPEN QUESTION]

Q43. Please provide any alternative suggestions for how the additional incident reporting requirement could be defined? [OPEN QUESTION]

Q44. What factors do you feel are most important in assessing whether an incident has the potential to impact the continuity of the service? [OPEN QUESTION]

Q45. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

5.10 Full cost recovery for NIS functions

Summary

The government proposes that the full costs incurred by competent authorities for regulating NIS are transferred from the taxpayer onto the organisations in scope by creating a more flexible model that allows them to raise fees and recover costs for relevant NIS activities.

Rationale for the change

This change will release pressure from public funds, give competent authorities more financial flexibility to execute their daily work, and discourage regulated bodies from frustrating the enforcement process without consequences. Regulation 21 of the NIS Regulations provides that costs cannot be recovered by the NIS competent authorities for functions carried out under regulations 17 (enforcement notices, 18 (penalties), 19A (appeals), A20 (civil proceedings) and 20 (enforcement of penalty notices). They are able to recover reasonable costs for all other regulatory functions (e.g. sending an Information Notice or carrying out inspections).

It is government policy that charges for services provided by public sector organisations normally pass on the full cost of providing them. This is in line with the Treasury guidelines for managing public money: ‘certain public goods and services are financed by charges rather than from general taxation.’ The standard principle is to set charges to recover full costs, an approach that is intended to ensure government and public bodies neither profit at the expense of consumers nor make a loss for taxpayers to subsidise. Regulators delivering regulatory oversight under other legislations, such as the Health and Safety Executive and the Drinking Water Inspectorate, already operate on a full cost recovery basis.

Moreover, this system creates cash flow obstacles for the regulators. Competent authorities must try to estimate the multi-annual costs of NIS implementation in advance, sometimes up to three years in advance in the case of government funding bids such as the spending review. Thus competent authorities do not have the flexibility, once a centrally funded budget has been approved, to react to sudden increases in their workload.

How would the measure work in practice

Firstly, the UK government proposes to extend the power of competent authorities to recover all of their costs from industry. It is important to note that only “reasonable costs” will continue to be recoverable.

Secondly, the government seeks to determine how the competent authorities should recover their costs from companies. There are a number of options to do this, which the government is seeking the views of industry, to identify the most effective , and least burdensome manner.

Option 1 : Remove the limitation in the legislation and expand cost recovery to all regulatory activities.

This option would effectively remove the limitation in the Regulations that prevents competent authorities from recovering the entirety of the costs incurred from carrying out their functions under the Regulations, notably from regulations 17(1)-17(4) and 18 to 20. Competent authorities would then be able to recover costs incurred from issuing enforcement notices, penalty notices (to name a few) through issuing invoices to regulated entities after a regulatory action has taken place. This would allow the competent authority to identify and charge for specific costs, but would need to incorporate ongoing and residual costs into its invoice structure, which will complicate billing.

Option 2 : Introduce a ‘hybrid’ cost recovery model, which allows competent authorities to both recover costs on an estimated/projected basis (through monthly/quarterly/annual fees), and to recover exact costs through invoices.

• An example of existing legislation that gives cost recovery flexibility to regulators is the Communications Act, section 38. It provides the regulator Ofcom with the discretion to define appropriate cost recovery mechanisms (projected basis or recovery of historic costs) within certain parameters and safeguards.
• The government envisages this along the lines of a flat rate fee for all regulated entities, with entity specific costs (i.e. audits, investigations etc.) charged on an historic, as occurred, basis.
• This option entails removing the existing limitation in the same way as Option 1, but also allows more flexibility for regulators to recover costs in a way that is consistent with other legislation within their remit (thereby simplifying the process for regulated entities).

Costs and benefits

As a result of this measure, industry would incur the additional costs of enforcement activities that were previously incurred by the taxpayer. Regulators would also likely need to increase resources in order to adjust to carrying out additional enforcement activities.

In terms of benefits, this measure would lead to a more predictable allocation of resources for competent authorities. Competent authorities would be able to charge firms for the enforcement actions taken against them, therefore making firms responsible for paying for every aspect of the regulation. Moreover issues surrounding collecting sufficient central funding for enforcement activities was a key factor that led to under enforcement by regulators. This measure removes this financial issue and will facilitate enforcement action where needed, providing overall a greater incentive for companies to comply with the NIS Regulations and to bolster the resilience of their NIS systems.

5.11 Questions

Q46. Do you agree that the current cost recovery mechanism (invoice-based) needs to be changed? [YES/NO]

Q47. Please explain your answer. [OPEN QUESTION]

Q48. How should the government best fund regulatory oversight of the NIS regulations? [OPEN QUESTION]

Q49. How effective do you believe each of the government’s proposed options for how competent authorities should recover their costs from companies will be?

Option 1: Remove the limitation in the legislation and expand cost recovery to all regulatory activities

Option 2: Introduce a ‘hybrid’ cost recovery model, which allows competent authorities to both recover costs on an estimated/projected basis (through monthly/quarterly/annual fees), and to recover exact costs through invoices

• Very effective
• Somewhat effective
• Not at all effective
• Don’t know

Q50. Please explain your answer. [OPEN QUESTION]

Q51. Do you have any concerns about the burden that this proposal would place on regulated organisations, in light of other regulations they may be subject to? [YES/NO]

Q52. Please explain your answer. [OPEN QUESTION]

Q53. Please provide any other suggestions you may have for other options for how competent authorities should recover their costs from companies. [OPEN QUESTION]

Q54. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

6. Annex A: Examples of managed services

Annex A contains examples of managed services which could be considered to be within the scope of measure 1. This is not an exhaustive list and is intended to provide examples of the type of services which would be considered a managed service under the proposed definition as well as those which would be out of scope (see below).

To note, services would only fall in scope if they meet the characteristics of a managed service, including relying on providers’ network and information systems involved in the delivery of a managed service.

Workplace services

• Managed print services
• Managed desktop / virtual desktop;

Managed Network support services

• Wide Area Network (WAN) support services
• Local Area Network (LAN) support services

Consulting

• Online security or technology advisory services,

Security services

• Managed Security Operations Centre (SOC);
• Security monitoring (SIEM);
• Incident response;
• Threat and vulnerability management (TVM)

Outsourcing

• Business Process Outsourcing services (front office/back office, onshore, nearshore or offshore, e.g. payroll, accounting, regulatory compliance),
• IT Outsourcing Services (ITO);
• Service Integration and Management (SIAM).

Analytics and Artificial Intelligence (AI)

• Interactive services (virtual client services etc),
• Data analytics, automation, optimisation and management services;

Business Continuity and Disaster Recovery services

• Planning and implementation
• Rehearsal environments
• Backup services

Software Engineering – Managed service provider develops source code, maintains source code, stores source code in its own repository

• DevOps – often cloud-based, featuring Agile development techniques (e.g. Scrum, XP);
• Application Modernization – remediation and migration of legacy software to cloud platforms
• Application Management – run and maintain services, security and patching

MSPs may provide cloud computing services, including the reselling or management of cloud computing services. However, these have not been included in this list as they would be caught by the. Current cloud computing service definition and therefore already result in the relevant provider and NIS being in scope. Please note data centres, digital infrastructure, hardware resellers are not directly within scope of this measure in of themselves, unless they form part of the network and information systems that support the provision of a managed service.

7. Annex B: Consultation questions

Pillar I: Proposals to amend provisions relating to digital service providers

Expanding the regulation of digital service providers

Q1. Do you agree that managed services should be brought into the scope of NIS Regulations? [YES/NO]

Q2. Do you agree with the examples of managed services proposed to be within or out of scope of the NIS Regulations, provided in Annex 1? [YES/NO]

Q3. IF NO AT Q2: Please explain the reasons for your answer. [OPEN QUESTION]

Q4. Do you agree that the range of managed services brought into scope of NIS legislation should be defined by the following characteristics?

A. They are supplied to a client by an external supplier [YES/NO]

B. They involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems [YES/NO]

C. They are categorised as business to business (B2B) rather than business to consumers (B2C) services [YES/NO]

D. Their provision relies on the provider’s own network and information system [YES/NO]

Q5. IF NO AT Q4 A-D: Please explain the reasons for your answer. [OPEN QUESTION]

Q6. Do you agree that the definition of managed services subject to regulatory obligations under NIS should be narrowed further? [YES/NO]

Q7. How effective do you believe each of the government’s proposed options for narrowing the definition of managed services will be?

• Have privileged access or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems

• Perform essential or sensitive functions

• Very effective
• Somewhat effective
• Not at all effective
• Don’t know

Q8. Please explain why you believe each of the proposed options to be effective or ineffective. [OPEN QUESTION]

Q9. IF VERY EFFECTIVE AT Q7B: Please include specific essential or sensitive functions which you think should be included within a definition of managed services. [OPEN QUESTION]

Q10. Please suggest any further options for characteristics which could be applied to defining managed services. [OPEN QUESTION]

Q11. Do you think that the exemption for digital service provider small and micro-businesses should be modified to enable a small number of critical providers to be brought under scope of NIS Regulations? [YES / NO]

Q12. Please explain your answer. [OPEN QUESTION]

Q13. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

The supervisory regime for digital service providers

Q14. Do you agree with the Government’s proposal to specify a two-tier supervisory regime for providers of digital services? [YES/NO]

Q15. Do you agree with the Government’s proposal to define the factors that the ICO should take into consideration as part of the two-tier supervisory regime? [YES/NO]

Q16. Do you agree that further guidance on supplier-customer cyber resilience cooperation is necessary, particularly as part of a supervisory regime for the most critical digital service providers? [YES/NO]

Q17. How effective do you believe each of the government’s proposed options for factors would be in ensuring the digital services most critical to the UKs resilience are captured?

A. The criticality of the customers supplied

B. The level of dependence of the customer on the service

C. The level of connectivity and access to the customers network

D. Market reach (e.g. average annual number of clients supported by a service)

E. Scale (e.g. annual staff headcount of a service)

F. Financial

G. Concentration in the market

H. The likely consequences for national security

• Very effective
• Somewhat effective
• Not at all effective
• Don’t know

Q18. Please explain why you believe the proposed options to be effective or ineffective. [OPEN QUESTION]

Q19. Do you have any suggestions for alternative factors that should be considered? [OPEN QUESTION]

Q20. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

Pillar II: Proposals to future-proof the UK NIS Regulations

Delegated power to update the NIS Regulations in the future

Q21. Do you agree with the UK government having power to amend certain elements of the NIS Regulations and the UK version of the Commission Implementing Regulation 2018/151 through secondary legislation? [YES/NO]

Q22. Do you agree with the safeguards and limitations proposed in this document? [YES/NO]

Q23. IF NO AT Q22: Which safeguards do you consider to be inappropriate for this proposal? [OPEN QUESTION]

Q24. Are there any other safeguards or limitations that you feel that the government should consider? [OPEN QUESTION]

Q25. Are there any areas of the NIS Regulation in the UK which you think should not be included in the delegated power? [YES/NO]

Q26. IF YES AT Q25: What area(s) should not be included and why should it not be updated using secondary legislation? [OPEN QUESTION]

Q27. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

Delegated power to amend the scope of the NIS Regulations

Q28. Do you agree with the government’s proposal for a delegated power that would allow the government to amend the NIS Regulations to expand the scope of the NIS framework? [YES/NO]

Q29. IF NO AT Q28: Please explain your answer. [OPEN QUESTION]

Q30: Do you agree that this measure should contain safeguards and limitations? [YES/NO]

Q31. IF YES AT Q30: What safeguards and limitations do you think should be in place? [OPEN QUESTION]

Q32. Do you agree that there are benefits in additional sectors being designated under NIS? [YES/NO]

Q33. IF YES AT Q32: What benefits do you see in additional sectors being designated under NIS? [OPEN QUESTION]

Q34. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

Measure to regulate critical sectoral dependencies in NIS

Q35. Do you agree that the government should be granted the power to designate critical dependencies? [YES/NO]

Q36. Please provide any suggestions for changes or an alternative approach that would allow for the designation of critical dependencies. [OPEN QUESTION]

Q37. Are there any additional safeguards that you think are necessary? [OPEN QUESTION]

Q38. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

Additional incident reporting duties beyond continuity of service

Q39. Do you agree with expanding incident reporting duties to include incidents that do not affect continuity? [YES/NO]

Q40. Please explain your answer. [OPEN QUESTION]

Q41. Do you agree with the below proposal for the additional incident reporting requirement? [YES/NO] “Any incident which has a significant impact on the availability, integrity, or confidentiality of networks and information systems, and that could cause, or threaten to cause, substantial disruption to the service.”

Q42. Please explain your answer. [OPEN QUESTION]

Q43. Please provide any alternative suggestions for how the additional incident reporting requirement could be defined? [OPEN QUESTION]

Q44. What factors do you feel are most important in assessing whether an incident has the potential to impact the continuity of the service? [OPEN QUESTION]

Q45. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

Full cost recovery for NIS functions

Q46. Do you agree that the current cost recovery mechanism (invoice-based) needs to be changed? [YES/NO]

Q47. Please explain your answer. [OPEN QUESTION]

Q48. How should the government best fund regulatory oversight of the NIS regulations? [OPEN QUESTION]

Q49. How effective do you believe each of the government’s proposed options for how competent authorities should recover their costs from companies will be?

Option 1: Remove the limitation in the legislation and expand cost recovery to all regulatory activities

Option 2: Introduce a ‘hybrid’ cost recovery model, which allows competent authorities to both recover costs on an estimated/projected basis (through monthly/quarterly/annual fees), and to recover exact costs through invoices

• Very effective
• Somewhat effective
• Not at all effective
• Don’t know

Q50. Please explain your answer. [OPEN QUESTION]

Q51. Do you have any concerns about the burden that this proposal would place on regulated organisations, in light of other regulations they may be subject to? [YES/NO]

Q52. Please explain your answer. [OPEN QUESTION]

Q53. Please provide any other suggestions you may have for other options for how competent authorities should recover their costs from companies. [OPEN QUESTION]

Q54. Are there any other comments you would like to make about this measure? [OPEN QUESTION]

Demographic questions

Q55. Are you responding as an individual or on behalf of an organisation?

• Individual
• Organisation

Q56. [if individual] Which one of the following statements best describes you? [MULTICODE]

• Cyber Security professional
• Working in an organisation that may be impacted by these measures
• Professional in another sector
• Academic
• Student
• Interested in a career in cyber security
• Interested member of the general public
• Other [please specify]

Q57. [if organisation] Which one of the following best describes the sector of your organisation?

• Agriculture, forestry and fishing
• Production
• Construction
• Wholesale and retail trade; repair of motor vehicles and motorcycles
• Transport and Storage (inc. postal)
• Accommodation and food services
• Information and communication
• Finance and insurance
• Property
• Professional, scientific and technical
• Business administration and support services
• Public administration and defence
• Education
• Health
• Arts, entertainment, recreation
• Other services

Q58. [if organisation] Including yourself, how many people work for your organisation across the UK as a whole? Please estimate if you are unsure.

• Under 10
• 10–49
• 50–249
• 250–999
• 1,000 or more

Q59. [if organisation] Is your organisation covered by the Network and Information Systems (NIS) Regulations 2018?

• Yes
• No
• Don’t know

Q60. [if YES at Q56] What sector does your organisation provide your essential service(s) to? [MULTICODE]

• Health
• Energy
• Transport
• Digital Infrastructure
• Drinking water
• Organisation is a Relevant Digital Service Provider (RDSP)

Q61. [if organisation] Would you consider the service your organisation provides to meet the criteria of a managed service as outlined in measure 1/ Annex 1?

• Yes
• No
• Don’t know

Q62. [if organisation] Is your organisation headquartered in the UK?

• Yes
• No

Q63. [if organisation] Does your organisation operate in any EU member states?

• Yes
• No
• Don’t know

Q64. [if organisation] What is the name of the organisation you are responding on behalf of?

Q65. Are you happy to be contacted to discuss your response?

• Yes
• No

Q66. [if YES at Q62] Please provide a contact name and email address below

1. US Cybersecurity and Infrastructure Security Agency (CISA) (2021) ‘Top Routinely Exploited Vulnerabilities’, 28th July 2021 ↩

2. Home Office (2021) ‘Home Secretary Priti Patel speech to CyberUK Conference’, available online. ↩

3. Cabinet Office (2021), Global Britain in a Competitive Age: the Integrated Review of Security, Defence, Development and Foreign Policy, Objective 4.1: Building the UK’s national resilience, available online, p. 40. ↩

4. This also includes Commission Implementing (EU) Regulation 2018/151 which provides additional details on the security and notification requirements placed on digital service providers in scope of the NIS Regulations. ↩

5. Currently, only online search engines, online marketplaces, and cloud computing services are in scope of the NIS Regulations, under the Digital Service Providers sector. To note, some managed service providers that provide, resell or manage cloud computing services may already be captured by NIS Regulations through provision of cloud computing services. ↩

6. See Annex A, which goes into further detail around the types of organisations that may be in scope. ↩

7. DCMS (2021) Call for views on cyber security in supply chains and managed service providers ↩

8. “Privileged access”, in this context, means access and permission rights that are elevated from that of a standard user, where such access would otherwise be restricted and where this could permit the modification of the relevant service, network data, or infrastructure in a way that was not authorised. ↩

9. As set out in regulation 1(3)(e)(ii) of the NIS Regulations 2018. ↩

10. As set out in regulation 1(3)(e)(ii) of the NIS Regulations 2018. ↩

11. DCMS (2020) ‘Post-Implementation Review of the Network and Information Systems Regulations 2018’, Command Paper ↩

12. ICO (2018) ‘Security requirements for digital service providers’ ↩

13. DCMS (2018) ‘The Network and Information Systems Regulation 2018’, Impact Assessment ↩

14. DCMS (2020) ‘Post-Implementation Review of the Network and Information Systems Regulations 2018’, Command Paper. ↩

15. DCMS (2020) ‘Post-Implementation Review of the Network and Information Systems Regulations 2018’, Command Paper, p. 52. ↩

16. DCMS (2020) ‘Post-Implementation Review of the Network and Information Systems Regulations 2018’, Command Paper, p. 48. ↩

17. See the NIS Regulations (2018) for the relevant parts. ↩

18. Sectors and sub-sectors in this section should be read as including digital service providers as well as all other essential sectors (drinking water, energy, etc.) ↩

19. For a detailed view of costs and benefits incurred by both competent authorities and businesses, please refer to p.16 of the DCMS (2018) Network and Information Systems Regulations Impact Assessment ↩

20. (—105K(1)(a-b)), Telecommunications (Security) Act ↩

21. (—30BD(1)(b)(i-ii)), Security Legislation Amendment (Critical Infrastructure) Bill 2020 ↩

22. Regulation 11(7)(b) of the NIS Regulations 2018. ↩