The measures set out in the Cyber Security and Resilience (Network and Information Systems) Bill, as Minister Narayan’s Written Statement states, ‘respond to the threat we face – protecting the public at home, putting national security first, and making the UK a safe and confident place to do business’.

Broadly, the measures are part of three key areas of reform: (1) expanding the regulatory scope; (2) empowering regulators and enhancing oversight; and (3) ensuring an adaptive regulatory landscape to respond to the evolving threat landscape. We highlight the key aspects for members below.

An expanded scope

Similarly to the NIS Regulations in 2018, the Bill’s scope will focus on the UK’s essential services or the sectors where their disruption would have an affect on daily lives – such as NHS, transport and energy. The Bill will also go further bringing Managed Services Providers (MSPs), load controllers, designated critical services and data centres into scope.

1. Managed Service Providers (MSP): Large and medium MSPs will be brought into scope of the regulation. Many companies now outsource their IT services to MSPs, who provide essential services such as IT helpdesks and cyber security services. These companies have access to their customers’ systems – making them a clear target for cyber attacks. You can access the fact sheet for relevant digital providers here.

An MSP is defined as a service which:

is provided by one organisation to another organisation via a contract; and

consists of ongoing management in relation to a customer’s information technology systems; and

is provided by means of the organisation, or a person authorised by the organisation, having a connection (or access) to the customer’s network and information systems, and that connection can be established on the customers premises or remotely.

2. Designated critical suppliers: The Bill will give competent authorities or the Information Commission the power to bring suppliers into scope of the regulation, if they are deemed to supply an essential service. This is a key part of the government’s ambition to improve supply chain security across essential and digital services. There will be a series of considerations that must be taken before designating a supplier as ‘critical’ - this includes a period of consultation and an assessment of the impact any disruption could have to the UK’s way of life. This clause will bring the UK in line with the UK’s financial sector’s Critical Third Parties and the EU’s NIS2 Directive’s approach to supply chain duties.

A designated critical supplier is defined as:

The supplier must provide goods or services directly to an Operator of Essential Services (OES) for which the authority is the designated competent authority.

The supplier must rely on network and information systems in order to provide these goods or services.

An incident affecting the operation or security of any network and information systems relied on by the supplier for the purposes of that supply must have the potential to cause disruption to; the provision of any essential service, relevant digital service, or managed service by the person to whom the supply is made; or the provision of essential services, relevant digital services, or managed services (whether of a particular kind or generally) by persons to whom the supplier provides goods or services.

That disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom. This includes both scenarios of direct service disruption and cyber risk introduced by the supplier’s systems.

3. Large load controllers: Load controllers are being brought into scope to reduce the risk of grid disruption through enhanced cyber security requirements.

A large load controller is defined as:

An organisation is deemed a large load controller if it manages electrical load for smart appliance – a key service as the UK continues it’s transition to Clean Power 2030 and Net Zero.

4. Data centres: Read techUK’s assessment of the requirements on data centres below.