How UK organisations can prepare for the next wave of cybersecurity regulation

With the increasing frequency, scale and consequences of cyberattacks, cyber laws are changing to ensure organisations in all industries are adequately protected. As we meet the anniversary of GDPR on 18^th May, there’s further legislation to come which will impact UK organisations across the board. No longer bound by EU legislation, the UK will be a mere bystander to the upgraded cyber rules of the NIS2 Directive, adopted in January 2023 by the European Council.

NIS2’s overarching rationale is to protect critical national infrastructure and reduce interruptions in essential or important services provided by regulated entities. Echoing this, the significant increase in supply chain attacks, such as the SolarWinds incident, has prompted the UK to independently review its own cyber laws. In fact, the latest government data shows that just over one in ten businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is just 7%. The new regulations will for the first time see managed service providers (MSPs) become a key focus for heightened cybersecurity,  whose clients include government departments and critical infrastructure.

Journey to new levels of UK cyber defence

Following the latest UK Government proposal in late 2022 to ‘strengthen’ legislation to improve the UK’s cyber resilience, it’s hotly anticipated that the UK Network and Information Systems (NIS) Regulations 2018 will be revised (as soon as parliamentary time allows) in an effort to protect essential and digital services and minimise the risks of public impact. This is expected to take effect some time in 2024.

The UK currently has a myriad of regulations in place governing cybersecurity, data privacy, and data protection. These include DPA (Data Protection Act 2018), UK-GDPR (UK General Data Protection Regulation), NIS Regulations (Network and Information Security Regulations 2018) and Computer Misuse Act 1990. An investment in cybersecurity solutions is already required for organisations to meet regulations, protect devices and the network and data, to detect abnormal activity and for security ownership within organisations.

An upgrade in legislation means UK organisations will need to reconsider their security strategies to maintain compliance with potential anticipated standards. This will include potentially investing further considerable sums to meet these new security requirements. Although almost universally firewalls and laptops are being protected and cloud security is slowly but surely improving, the focus on network protection will see network security solutions, such as intelligent network monitoring, becoming a key focus. In addition, supply chain security has not previously been in scope and is set to be raised as a requirement for the first time.

The proposed cybersecurity law amendments

Whilst the UK changes are far less ranging than the widening of scope introduced by NIS2, the divergence between the EU and UK cyber laws means we will see dual regulation for organisations operating in the EU and UK. The proposed amendments to the UK’s NIS regulations will extend application to digital service providers and see the establishment of a risk-based supervisory regime:

• MSPs will fall within the scope of NIS regulations and the provision of their services – security monitoring, incident response and digital billing – will be subject to regulations. With MSPs often having privileged access to customers’ IT networks, this aims to keep digital supply chains secure.
• Reporting incidents – Once the law is introduced, organisations will also have to report incidents that have occurred. When a more serious incident has occurred, this could be as short a timeframe as within 24 or 72 hours. In addition, the operations will be subject to follow-ups and audits, and these will be coordinated by national authorities. Details on reporting thresholds and what will need to be included in an incident report are still to be clarified by the regulators in collaboration with the National Cyber Security Centre (NCSC).
• The Information Commissioner’s Office (ICO) will take a more flexible, risk-based approach to regulating digital services and will be able to take into account how critical providers are to supporting essential services. The ICO will be responsible for producing any guidance on how it will regulate digital services.
• There is a proposed exemption for small or micro businesses, although the ICO will have the power to designate them to be within the scope if they are deemed systemically critical to the UK’s critical services or national security.
• Future-proofing regulations – The UK Government will have the power to amend the NIS Regulations in the future to ensure continued effectiveness, in consultation with the public. New sectors may be brought into scope if they are deemed to be critical to the UK’s economy.

Investment and other ways to prepare for changing legislation

Without knowing the upcoming requirements, some suggested areas for increased investment and understanding include:

• Cybersecurity investment – Most organisations realise the need to protect the IT network and devices, such as company laptops and devices, with anti-hacker tools, as well as the need to secure resources in the cloud. However, network infrastructure protection solutions, including intelligent monitoring, are still less common. The next directive is likely to enforce the securing of the network, to take preventative action to stop any potential threat in their tracks. This will require tools to detect abnormal activity wherever it occurs and continuous monitoring to be able to follow how attacks occur and move across the network. Recovery will also need improvement, to ensure that operations can continue after an incident has occurred.
• Formalised reporting – Organisations affected by a breach or attack will be expected to report every single incident of significance to national authorities. What’s essential is to have a holistic view of network activity and effective logging in order to record what happened afterwards. The directive also requires companies to appoint a responsible person for cyber security and to carry out regular security checks and risk assessments.
• Awareness and implications of non-compliance – With a wider range of organisations now regulated, organisations must know to what extent they fall under the UK NIS Regulations, the EU NIS2 regime or both and then determine the measures required for compliance. It might be new tech, or updated processes and procedures for reporting incidents to relevant authorities such as Ofcom, Ofgem, and the ICO. Being aware of the consequences for non-compliance is critical, with potential fines of up to £17m. Non-compliance can also result in claims for contractual breach and associated reputational damage.
• Strengthening national cybersecurity levels – There is a need to exchange knowledge and experience at a national and international level for effective coordination and control of cybersecurity risk.

Elevating UK-wide cybersecurity posture

As the UK economy further embraces digitalisation and becomes more dependent on cybersecurity, it will inevitably be subject to more regulation. Although a cumbersome and expensive process, the good news is that compliant organisations will minimise risk of becoming victims of a cyberattack. ­ The future focus will be on the importance of protecting network and information systems and supporting organisations to take a more proactive approach to cybersecurity to protect their tech ecosystems.

With the right cybersecurity investments and human expertise in place, organisations will be better equipped to prevent, respond to and recover from cyber-attacks. As the risks for organisations reduce, so will the risks of disruption for critical infrastructure in society.