DSIT is seeking views on some measures planned under the UK Cyber Security and Resilience Bill, to be introduced in 2025 to update The Network and Information Systems Regulations 2018. I saw this a couple of days ago on the ICO's NIS webpage, then found more info on techUK's 8 Nov webpage.
Usefully, techUK has also listed all the consultation questions in one PDF, which is really helpful as, unlike EU consultations that usually offer a downloadable PDF listing the questions, sadly too many UK consultations expect respondents to go through a form page by page before they can see what the questions are, which wastes time for those wanting to provide considered responses to all questions holistically (some webpages don't even allow going back).
The deadline is soon according to ICO: 21 Nov 24, i.e. next Sunday!
As you'll know, the intention is to expand the NIS Regulations to catch even more types of organisations, and to reduce incident reporting deadlines (with staffing/costs implications for 24 hr reporting especially at the weekend). Some proposals resemble the changes under the EU's NIS2 Directive. Managed service providers will probably be brought into scope (proposed criteria below). Note the queries on the costs of rolling out MFA, and of password resets. DSIT is also asking competent authorities (but it seems not other stakeholders) whether data centres should be regulated. Interestingly, it also asks if any Competent Authorities currently review the supplier contracts of regulated entities for visibility into their supply chain, assurance of supplier cyber security and resilience measures, and/or have audit rights - familiar from GDPR, but could this be specifically required in future under NIS too?
Key excerpts:
Managed service providers (MSPs) to be brought within scope of Relevant Digital Service Provider (RDSP)
DSIT's proposed characteristics of a Managed Service Provider have 4 criteria:
1. The service is provided by one business to another business, and
2. The service is related to the provision of IT services, such as systems, infrastructure, networks, and/or security, and
3. The service relies on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties, and
4. The service provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or the security thereof.
Incident reporting
Changes being considered "to ensure more incidents are reported and that incident information is communicated to relevant parties more quickly and clearly" include:
"1. A change to the definition of an incident under the existing NIS Regulations. To meet the current reporting threshold, an incident must have led to a significant or substantial disruption to service continuity. We are proposing to change the definition of a reportable incident to ensure that a wider range of incidents are captured, including incidents capable of resulting in a significant impact to service continuity and incidents that compromise the integrity of a network and information system.
2. A change to the amount of time an organisation has to report an incident from when it is detected. Currently, incidents must be reported without undue delay and no later than 72 hours after being made aware of the incident. We are assessing whether this time can be reduced to no later than 24 hours after being made aware of the incident.
3. New transparency requirements. We are considering introducing a transparency requirement which will ensure customers are notified of incidents which significantly compromise the integrity of a digital service upon which they rely."
On 24-hr reporting, DSIT wants to know:
1. Which members of staff are needed to develop and submit an NIS incident report?
2. Do you have the people required to submit an incident report already working weekend shifts?
3. Could you have staff on call as opposed to working weekend shifts in case there is the need to report an NIS incident? Could you save money by calling in members of staff when an incident is detected?
4. Is there a higher rate of pay for staff working weekends than those working during the week? If so, what overtime rate do staff get paid?
On transparency:
5. If an incident occurred which affected a service you provide, would you be able to
identify which customers have been affected? (‘Customers’ in this question should
be interpreted as businesses which rely on a digital service provider [cloud provider] for a service,
not individual clients.) If so, how long would it take to identify which customers have
been affected?
6. Do you have a plan in place for what to do if an incident occurs? [For RDSPs [i.e. cloud providers]]
MSPs:
7. [for OES] Do you use services provided by an MSP (or multiple MSPs) to deliver your essential service(s)? This would also include, for example, companies which provide IT outsourcing, BPO (business process outsourcing) where it is provided through IT networks, or cyber security services.
a. If yes, please provide examples of where these services provided by an MSP (or multiple MSPs) are critical to the provision of your essential service? (note: names of companies are not required)
8. [for RDSPs] Do you provide managed services? This would include, for example, providing IT outsourcing, Business Process Outsourcing (BPO) where it is provided through IT networks, or managed security services.
9. Do you provide Business Process Outsourcing (BPO) services that involve ongoing management of an IT system/ infrastructure/network and have a connection or access to the customer?
a. If yes, please provide examples of the BPO services provided by your organisation.
10. Do you provide managed IT services that secure or manage operational technology (OT)?
a. If yes, please provide examples. Detailed examples are welcome, particularly where these relate to critical national infrastructure (CNI).
11. Do you provide system integration?
a. If yes, is the system integration provided as part of a managed service? Please provide examples of the system integration you provide as part of a managed service.
12. Do you provide telecommunications services (e.g. WAN, LAN)?
- If yes, please provide examples of the telecommunications services you provide.
- If yes, do you consider that any of these telecommunication services constitute a ‘managed service’?
- If yes, are these telecommunications services regulated under the Communications Act 2003?
13. Is the cyber security of the services you provide (in the UK or overseas) currently regulated? Are you currently regulated for the cyber security for any of your services offered (in the UK or overseas)?
If yes, please provide details of these regulations.
[Questions about small and micro cloud or managed services in the supply chain]
Operational technology (OT):
15. Does your organisation use operational technology to manage any critical or essential services?
16. [if yes to 15] If you purchase operational technology (OT) from a vendor, do you maintain and operate it ‘in house’?
17. [if yes to 15] Do you outsource the management of operational technology (OT) to third party providers?
a. If yes, are these third party providers Managed Service Providers (MSPs)? (i.e., the same company that manages your IT systems/networks/Infrastructure)
b. If yes, please provide examples of operational technology (OT) that you outsource to third parties (note: a description of the company would suffice, names are not required)
Managing risks - costs impacts of serious incidents:
18. How much would it cost your organisation to conduct a full rollout of multi-factor authentication for all users?
19. How much would it cost your organisation to conduct a full organisation-wide reset of passwords?
20. What other actions do you anticipate you might need to take to protect your organisation in the event of a major cyber security attack or resilience incident?
[Some duplication: the next set of questions is for firms NOT regulated under NIS, including 24-hr reporting and staff costs, OT, managing risks, small/micro MSPs/cloud providers, MSPs]
25. If you purchase operational technology (OT) from a vendor, do you maintain and operate it ‘in house’?
26. Do you outsource the management of operational technology (OT) to third party providers?
a. If yes, are these third party providers Managed Service Providers (MSPs)? (i.e., the same company that manages your IT systems/networks/Infrastructure)
b. If yes, please provide examples of operational technology (OT) you outsource to third parties (note: a description of the company would suffice, company names are not required)
Plus questions to competent authorities (CAs) re 24-hr reporting, staff etc., private vs. public organisations regulated and their size from micro to large, and:
38. Do any Competent Authorities currently review the supplier contracts of regulated entities to ensure that appropriate measures are being taken to manage supply chain risk? E.g. that regulated entities have visibility of their suppliers’ supply chain, have some level of assurance of the cyber security and resilience measures followed by their supplier, and/or have the right to audit their supplier? If so, please share details
Data centres
39. How many standalone data centres are owned and operated by OES/RDSP/MSP businesses under your remit in the UK?
40. Do you include standalone data centres owned and operated (enterprise data centres) by OES/RDSP businesses under your remit in your supervisory activity?
a. If no under your current scope, have you previously considered or are you currently considering expanding your supervision to focus on your sector’s enterprise data centres?
b. If yes, what compliance obligations are applicable to and what assurance is required in relation to OES/RDSP owned-and-operated data centres? For example, appropriate and proportionate measures + CAF.
c. If yes, are there any measures or assurance designed for the data centre infrastructure that you apply and/or assess for your sector's data centres (or that guide your supervision) under the NIS? For example, standards designed for operational resilience of data centre infrastructure, the cyber security of operational technologies/industrial control systems, or levels of physical security of data centres.
41. To what extent do you agree with the following statements:
a. It would be beneficial to have standardised guidance on “appropriate and proportionate” measures in relation to the security and resilience of data centres / data centre infrastructure
(Strongly agree/Agree/Neither agree nor disagree/Disagree/Strongly disagree)
b. UK third-party operated data centres should be brought into the scope of the NIS under dedicated supervision with a view to protecting them as CNI and OES/RDSP supply chains?
(Same range from Strongly agree to Strongly disagree)