Strict cybersecurity laws proposed for companies providing ‘essential services’
The government has proposed introducing new laws to ensure companies that provide essential digital services meet strict cybersecurity obligations, with hefty fines for non-compliance.
The Department for Digital, Culture, Media and Sport (DCMS) proposal also includes other legislation such as improving incident reporting and granting additional powers to the UK Cyber Security Council, which regulates the cybersecurity profession.
This would allow it to create a set of agreed-upon qualifications and certifications so those working in cybersecurity can prove they are properly equipped to protect businesses online.
The plans follow recent high-profile cyber incidents such as the cyberattack on SolarWinds and Microsoft Exchange servers, which showed vulnerabilities in third-party products and services the companies rely on.
“Cyberattacks are often made possible because criminals and hostile states callously exploit vulnerabilities in companies’ digital supply chains and outsourced IT services that could be repaired or patched,” said Minister of Digital Infrastructure, Julia Lopez.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats.
“Every UK organization must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an additional option.
The Network and Information Systems (NIS) Regulation came into force in 2018 to improve the cybersecurity of companies that provide essential services such as water, energy, transport, health and digital infrastructure . Organizations that fail to put in place effective cybersecurity measures can be fined up to £17 million.
The government now wants to update the NIS regulations and expand the list of affected companies to include managed service providers (MSPs) that provide specialized online and digital services. MSPs include security services, workplace services and IT outsourcing, which often have privileged access to their customers’ networks and systems.
NIS regulations require essential service providers to conduct risk assessments, implement reasonable security measures to protect their network, and report significant incidents.
DCMS research shows that only 12% of organizations review cybersecurity risks originating from their immediate suppliers and only 5% of companies address vulnerabilities in their broader supply chain.
National Cyber Security Center Technical Director Dr Ian Levy said: “I welcome these proposed updates to the NIS regulations, which will help improve the overall resilience of cybersecurity in the UK.
“These measures will ensure that cybersecurity risks are properly managed by organizations and those on whom they depend.”
Last year, the Irish health service was hit by a “very large” ransomware attack, which caused significant disruption after the service was forced to shut down its IT systems.
Sign up for the E&T News email to get great stories like this delivered to your inbox every day.