techUK summary: DCMS proposes new laws to strengthen the UK's cyber resilience
DCMS have outlined that new laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses. Proposals include highlighting the need to make improvements in the way organisations report cyber security incidents and reforming legislation to be more flexible in its ability to react to the speed of technological change.
The plans have emerged following recent high-profile cyber incidents which exposed how vulnerabilities in third-party products and services used by businesses can be exploited by cybercriminals and hostile states. They also follow an increase in ransomware threats to organisations including some in critical national infrastructure. As laid out in the National Cyber Strategy, the government aims to make the UK more secure by taking a stronger approach to getting at-risk businesses to improve their cyber resilience as part of its new £2.6 billion funding
techUK has summarised the first of the two consultations below. techUK's summary of the second consultation can be found here.
As part of the £2.6 billion National Cyber Strategy 2022, the government is working to improve the cyber resilience of businesses and organisations across the UK economy. It is crucial to understand how malicious actors are able to compromise a country’s national security and disrupt activities in the wider economy and society. The government is therefore consulting on proposals for legislative changes which would drive up levels of cyber resilience, particularly in organisations which play an important role in the UK economy, like managed IT service providers.
The consultation outlines a proportionate response to a changing threat landscape as what was not even considered a risk five years ago, is now a potential threat to UK national security. The government therefore needs to be adaptable in the face of this changing threat landscape with inclusion of the legislative being flexible too, however the need for buy-in from industry in order to succeed is also welcomed.
techUK members are able to submit their views on the proposals to DCMS here. The closing date for responses is 11:45pm on Sunday 10 April 2022.
To input into the techUK response please get in touch with the Cyber team.
The two proposals covered by this consultation and their proposed measures:
Bring additional critical providers of digital services into the UK’s cyber security regulatory framework in order to ensure that those providers who frequently have privileged access and provide critical support to essential UK services, have adequate cyber security protections in place and can be regulated effectively.
- Expand the scope of ‘digital services’ to include ‘managed services’;
- Apply a two-tier supervisory regime for all digital service providers: a new proactive supervision tier for the most critical providers, alongside the existing reactive supervision tier for everyone else;
Future-proof the UK’s existing cyber security legislation, primarily the Network and Information Systems (NIS) Regulations so that they can adapt to potential changes in threat and technological developments.
- Create new delegated powers to enable the government to update the regulations, both in terms of framework but also scope, with appropriate safeguards.
- Create a new power to bring certain organisations, ones that entities already in scope are critically dependent on, within the remit of the NIS Regulations;
- Strengthen existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents;
- Extend the existing cost recovery provisions to allow regulators (for e.g. Ofcom, Ofgem and the ICO) to recover the entirety of reasonable implementation costs from the companies that they regulate.
There is further analysis on the need to improve UK cyber resilience in the 2022 Review of Cyber Security Incentives and Regulation which has been published alongside this consultation.