Today, the Department publishes the Government response to the consultation for improving the UK’s cyber resilience, which sought the public’s views on a package of measures.
Cyber resilience and the protection of critical infrastructure and technology are essential for the development of a thriving digital economy. The Network and Information Systems (NIS) Regulations 2018 provide legal measures to boost the overall level of security of network and information systems that are critical for the provision of digital services and essential services.
In recent times, the frequency and scale of cyber incidents against UK targets are increasing the risk of severe damage to critical national infrastructure and the resilience of the economy. High-profile incidents in the last few years, such as the compromise of SolarWinds supply chain and the Colonial Pipeline ransomware attack, as well as incidents this year including the attacks on the NHS 111 services and South Staffordshire Water, have demonstrated the devastating impact cyber attacks can have, and as such it is essential that legislation in the UK evolves to boost our defence.
In January 2022, the Government launched a public consultation on proposals to improve the UK’s cyber resilience, which included seven individual measures relating to the NIS Regulations, as well as further measures focusing on cyber skills (the consultation and Government response for which is available here). The consultation aimed to gather feedback on the proposals, including favourability, and suggestions on how they could be refined, in order to continue their development further. Understanding the support from the public on these proposals and the nature of the feedback will allow us to ensure the amendments contribute to development of our cyber security legislation and ensure that we can effectively manage future cyber risks.
The Government response, relating to pillars one and two of the consultation, covers the entirety of the United Kingdom. Pillar one seeks to bring managed service providers in scope of NIS, as well as considering a more flexible and risk-based supervisory regime for digital services, ensuring greater resilience of the UK’s most critical digital service providers. Pillar two seeks to make amendments to the NIS Regulations to future-proof the legislation, and allow the UK to adapt to emerging, evolving, and critical threats. These changes would allow updating amendments to be made to the Regulations, new sectors and sub-sectors added, and existing sectors expanded via secondary legislation. In addition, the proposals would also amend the existing cost recovery system to implement an improved, fairer scheme; amend the incident reporting thresholds to include incidents that do not actually affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entities; and allow regulators to designate critical dependencies in their supply chain for which their services rely on.
Overall the feedback on the proposals has been very positive. This high level of support from industry demonstrates a recognition of the importance of these proposals in enhancing the resilience of the UK's critical national infrastructure, which is critical for the continued growth of our economy.
The full Government response to the proposals is available on the Government website.
This statement has also been made in the House of Lords