emiliau - Fotolia

NIS security regulations proving effective, but more work to do

The UK’s NIS cyber security and risk regulations are proving somewhat effective, according to a government report

The Department for Digital, Culture, Media and Sport’s (DCMS’s) post-implementation review (PIR) of the Network and Information Systems (NIS) cyber security and risk regulations has concluded they have been a relative success in terms of nudging organisations to take measures to ensure and improve the security of their networks and IT systems, but that there is still room for improvement.

The NIS Regulations came into force on 10 May 2018 under the auspices of the 2016-21 National Cyber Security Strategy, with the objective of improving the security by putting in place an appropriate regulatory framework for cyber risk to be properly managed across the UK economy. They are designed to raise security standards across critical sectors through “outcomes-based regulation” that “enables the approach to consistently adapt in a rapidly evolving environment”.

The regulations define critical sectors as those which if disrupted would cause significant economic and social harm to citizens, businesses, and national infrastructure, such as digital infrastructure and services, energy, health, transport and water.

Implemented and enforced by designated competent authorities with the support of the National Cyber Security Centre (NCSC), the regulations force such organisations to take “appropriate and proportionate” measures to ensure the security of their networks and information systems, both through managing risk and minimising any disruptive impact; and to notify the relevant competent authority about any incident that negatively impacts their cyber security, according to a number of pre-defined criteria.

In the report, the government said it was too early to judge the long-term impact of the regulations, but that relevant organisations had been working hard to achieve compliance and assessed that this action was indeed leading to a reduction in the risks posed to essential services and digital services relying on networks and information systems.

However, the report found that while the data suggested improvements were being made, there was clearly a need for organisations within the scope of the regulations to accelerate their improvements.

“Society and the economy at large rely extensively on the services in scope of the regulations, and the failure or compromise of network and information systems in these sectors is a systemic risk to the services they provide,” wrote the report’s authors in its preamble. There remains a significant threat to the sectors in scope of the regulations and intervening to reduce the risk in this sphere remains appropriate.”

Read more about security regulation

The auditors assessed that “proportionate and targeted” regulations were wholly appropriate and necessary considering the threats to the sectors in scope, which have ramped up dramatically during recent months, particularly in the healthcare sector. The government said it now plans to make some technical changes to the regulatory regime to ensure it remains proportionate and targeted and will be considering a number of amendments to be taken up.

These changes are likely to centre on cost recovery, to better enable competent authorities to conduct regulatory activity; the implantation of an improved appeals mechanism; more clarity around the wider enforcement regime; the introduction of support to manage risks to organisational supply chains; the introduction of best-practice sharing; and a number of measures to account for any changes that may be needed, or may become possible, after the end of the Brexit transition period.

Kuan Hon, a director in the technical team at law firm Fieldfisher, said that based on the statistics presented in the report, there had clearly been very limited enforcement of the NIS regulations so far, with no fines having been levied, and fewer incidents reported to regulators than DCMS anticipated. However, she added, compliance and incident reporting costs had been much higher than first expected.

“In light of Brexit, it [DCMS] will also be reviewing the thresholds for reporting incidents, which regulators have suggested may be too low, so UK OESs [Operators of Essential Services] and DSPs [Digital Services Providers] may have to report more incidents than currently,” she said.

“Also, they may face higher costs because DCMS is considering allowing regulators to recover their enforcement costs, on top of investigation/inspection costs, against the relevant OESs/DSPs. The UK already has one of the toughest NIS Directive regimes in terms of potential levels of fines (maximum £17m) and costs recovery, so OESs and DSPs may well resist any such changes if any consultation on a broader review of the regulations is issued.

“This particularly given that the enforcement regime does not seem to have been a key factor in driving security improvements to date; rather, GDPR seems to have been the bigger driver,” said Hon.

The full report can be downloaded from the government’s website.

Read more on Regulatory compliance and standard requirements