A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 15 December 2022
On 30 November 2022, the UK government announced that Managed Service Providers (“MSP”) will be brought within the scope of the Network and Information Systems (“NIS”) Regulations designed to boost the UK’s cyber resilience against online attacks.
Many organisations rely on outsourcing management of IT infrastructure to MSPs. They can manage an organisation’s networks, applications, on-going help-desk service, data-storage, security and monitoring services, and the list goes on. Consequently, the very nature of MSPs means that a ransomware attack upon an MSP can have far reaching consequences. Data belonging to a number of organisations may be encrypted and/or exfiltrated in one attack. In addition, with privileged access, there is a clear risk that an attack to permeate into multiple IT ecosystems.
During August this year, Advanced, which is an MPS, was targeted by LockBit 3.0 ransomware which led to an outage of NHS 111 and disruption to as many as 16 organisations which uses Advance to support their health and care platforms. Advanced will likely still be dealing with the repercussions of the attack for a long time.
On 19 January 2022, the government published a call for views on amending NIS in line with the government’s recommendations to expand the scope of digital services regulated under the NIS Regulations to include “managed services”.
NIS came into force in the UK on 10 May 2018. It is designed to address threats posed to network and information systems; therefore, improving and protecting the functioning of the digital economy. Although NIS concerns itself primarily with cybersecurity measures, it also covers physical and environmental factors.
NIS currently applies to two groups of organisations: (1) operators of essential services (“OES”) (transport, energy, water, health, and digital infrastructure sectors); and (2) digital service providers (“DSPs”) (online marketplaces, online search engines, and cloud computing services).
The Information Commissioners Office (“ICO”) is responsible for all regulatory oversight in relation to DSPs compliance with NIS. The ICO has a number of powers including enforcement notices, powers of inspection, and penalties. Failure to comply with NIS Regulations could render an organisation liable to a fine of up to £17million.
Outcome and Implementation
The government will now prioritise incorporation of MSPs within the remit of NIS. The aim is to capture a broad range of managed services defined by meeting all of the following characteristics:
The precise definition of MSP for the purpose of NIS is yet to be finalised and the government has acknowledged the fine balance it has to strike between a narrow definition, reducing the number of entities that ought to be regulated, against a broad definition which may inappropriately increase the regulatory burden.
The government is considering introducing further risk-based characteristics such a whether the MSP:
The government’s proposals to bring MSPs within the remit of NIS is unsurprising. It is notable that 86% of those who responded to the consultation agreed that there are benefits to bringing MSPs within the remit of NIS. The announcement represents a positive step towards improving cybersecurity resilience in the UK by enforcing minimum security standard for MSPs and, in turn, reducing the risk in supply chain cybersecurity. Of course, any implementation of the proposals will not act as a silver bullet against cyber-attacks and so organisations, MSPs or otherwise, will still need to adopt a robust cybersecurity framework.
Changes to NIS, however small, currently require primary legislation to be laid before Parliament (although note the government has also proposed that delegated powers are written into the primary legislation to allow amendments to the scope of NIS without the need for primary legislation in the future). The definition of MSP for the purpose of NIS will require careful consideration and will no doubt be subject to an interesting debate.
 A more detailed consideration of NIS can be found by following this link: https://www.dacbeachcroft.com/en/gb/articles/2022/november/nis-breaches-the-national-cybersecurity-strategy-and-law-enforcement-engagement/
London - Walbrook
+44(0)20 7894 6144
Hans Allnutt, Stuart Hunt
Astrid Hardy, Hans Allnutt
Julian Miller, Tom Evans
Hans Allnutt, Camilla Elliot
Jade Kowalski, Astrid Hardy
Louise Gallagher, Katie Anderson
Hans Allnutt, Astrid Hardy
Aidan Healy, Alexander Dimitrov
Patrick Hill, Stuart Hunt
Astrid Hardy, Alexander Dimitrov
Patrick Hill, Sonali Malhotra