Civil Law

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

• Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
• Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
• Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.

1. Data center operators—among others—will now fall within scope of the NIS Regulations

At present, the NIS Regulations cover two types of covered entities—”operators of essential services” (“OESs,” including the main types of critical infrastructure, such as energy, transport, and water providers) and “digital service providers” (“DSPs,” specifically cloud computing, online search engines, and online marketplaces).

The Bill will expand the scope of the OES designation to cover providers of data center services that offer a rated IT load of more than 10 megawatts, and are provided “on an enterprise basis.” The Bill’s definition of “data centre service” broadly follows the equivalent definition in NIS2 but is more detailed; in essence, it covers the provision of data center space and supporting infrastructure (e.g., utilities and security infrastructure). This differentiates data centre providers from cloud computing providers, which are already regulated as a DSP under the NIS Regulations. (Note that the definition of a “cloud computing services” will also be amended)  The Secretary of State for Science, Innovation and Technology, along with Ofcom, will be the competent authority for regulating data center providers.

The Bill will also expand the scope of the NIS Regulations to cover:

• “Large load operators” in the electricity sector as OESs; and
• Managed service providers as a new category of operator with similar obligations to DSPs under the existing NIS Regulations. Interestingly, the definition of a “managed service provider” is more specific than the equivalent definition in NIS2. The Information Commission (which will soon replace the existing Information Commissioner’s Office) will be the competent authority for managed service providers.

2. More incidents will be reportable, and the Government reserves the right to impose more specific security requirements

At present, the NIS Regulations require OESs to report to competent authorities any incident that “has a significant impact on the continuity of the essential service which that OES provides” to its competent authorities, taking into account factors such as the number of affected users, the duration of the incident, and the geographical area affected. DSPs must report incidents that have a “substantial impact on the provision of” any of the digital services they provide. It’s fair to say, however, that authorities have not been overwhelmed: according to the Government’s impact assessment, in 2019, 2020 and 2021, there were only 13, 12 and 22 NIS incidents reported, respectively. The Government considers that this is because the definition of a significant incident has been too narrow.

The Bill will expand the types of incidents that are reportable, in some cases extending to incidents that have had or are likely to have a “significant impact” in the UK. Generally, reportable “incidents” will include incidents that are “capable of” creating adverse impacts—not just those that have an actual such effect. However, covered entities will need to review the definitions of incidents carefully to understand what is reportable, because there are slightly different thresholds for different categories of provider. For example, data center providers must report incidents that could have had, have had, are having or are likely to have, a significant impact on the operation or security of the network and information systems at issue, a significant impact on the continuity of the data center service, or any other significant impact.

In addition, the Bill will impose an obligation on OESs, DSPs, and managed service providers to notify customers that are likely to be “adversely affected” by the incident, taking into account the level of any disruption, any impact on that customer’s data, and any impact on their other systems.

Although the Bill does not set out new substantive security requirements on covered entities, it empowers the Government to impose such requirements, including for national security purposes.

3. The Bill attempts to address supply chain security for OESs by creating a new category of “critical suppliers”

The Bill would permit competent authorities responsible for overseeing OESs and DSPs to designate—subject to a consultation process—“critical suppliers,” i.e., individuals or organizations that rely on network and information systems to provide goods or services to an OES or DSP, for whom an incident would have the potential to cause disruption to the provision of an essential service that is likely to have a “significant impact on the economy or day-to-day functioning of society” in the UK.

As drafted, the Bill does not impose specific obligations on critical suppliers. However, such suppliers may, among other things, be the subject of directions from the UK Government to take steps in relation to the security of their services, or the subject of cybersecurity codes of practice from the Government. The Government has recognized that third-party service providers can create significant risks for OESs, DSPs, and managed service providers, and left itself flexibility to regulate further in the future.

In addition, organizations (or individuals) can be designated as critical suppliers by multiple competent authorities (e.g., if they provide services to OESs in multiple different sectors). In recognition of this, the competent authorities are required to coordinate with one another in relation to designation decisions.

4. Increased fines and enhanced powers for competent authorities

The headline is that the level of potential fines is significantly increased: the cap for the most serious infringements will be the higher of GBP 17m or 4% of the worldwide annual turnover of an undertaking. Ongoing infringements of requirements imposed by competent authorities can also be subject to daily penalty payments until they are rectified.

The Bill also empowers competent authorities to share information related to incidents among themselves, with law enforcement, with GCHQ, and with OESs, DSPs, managed service providers, and critical suppliers where necessary (although any such information sharing with private entities may not prejudice the security interests of others), and also with foreign competent authorities.

The Bill would also amend the NIS Regulations to set out in more detail the powers of competent authorities to demand information from covered providers, carry out inspections, and take enforcement action. Competent authorities are also empowered to charge covered entities to cover the costs arising from the exercise of the authority’s functions, subject to charging “schemes” that competent authorities may develop (subject to consultation with the organizations they regulate).

5. The UK Government will be empowered to take a more active role in cybersecurity regulation in the future

Parts 3 and 4 of the Bill establish a framework for the UK Government to set both the broad strategic direction for competent authorities’ oversight and enforcement of cybersecurity, and to impose more granular obligations on covered providers.

At a high level, and among other things, the Bill would:

• require the Government to maintain a statement of its strategic priorities in relation to cybersecurity;
• empower it to pass secondary legislation requiring certain organizations to take specific cybersecurity measures and/or to grant new powers to competent authorities;
• as set out above, empower the Government to impose—in certain circumstances—specific cybersecurity requirements on all types of entities covered by the NIS Regulations, as well as other entities the Government chooses to designate. This includes a framework for imposing obligations on providers for national security purposes; and
• empower it to issue codes of practice setting out more detail on the measures covered providers could take to comply with their obligations under the NIS Regulations.

*          *          *

The Data Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on the NIS Regulations, NIS2, and other cybersecurity laws. If you have any questions about how the Cyber Security and Resilience Bill will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.

LexBlog