Tech suppliers and data centres to face UK cyber law duties

The UK government outlined plans to bring ‘managed service providers’ within the scope of the UK’s existing Network and Information Security (NIS) regulations as part of a wider legislative reform initiative that will involve the introduction of a new Cyber Security and Resilience Bill.

At the same time, the UK government indicated an intention to bring data centre providers within the scope of NIS, which follows recent designation of such providers as ’critical national infrastructure’.

The Bill was one of several new pieces of legislation that the government pledged to introduce during the current parliamentary session, shortly after coming to power last summer. With publication of a new policy statement on the Bill, the government has now provided more details about what that new legislation will provide.

Also included in the government’s plans under the Bill are proposals to expand cyber incident reporting rules currently in force in the UK, measures to enhance supply chain security, and new transparency duties on providers of digital services to alert customers that may be affected by significant cyber incidents the providers experience.

The new regime will also be underpinned by stronger regulatory powers, including around information gathering, and could be supplemented by further legislation under consideration by the Home Office to curb payments to hackers behind ransomware attacks. The government further plans to legislate to enable it to update UK cyber laws more quickly in future to address emerging threats, without the need for new primary legislation.

The government said: “This Bill will make substantial improvements to this existing framework by bringing more entities into scope, and putting regulators on a stronger footing so that they can carry out their important duties.”

“The measures acknowledge the need for increased visibility over cyber threats, and the importance of simple and clear reporting requirements across different frameworks, including those under consultation by the Home Office to counter ransomware,” it added.

The current UK NIS Regulations 2018 are derived from the EU’s NIS Directive – a piece of legislation that sets out distinct cybersecurity and incident reporting obligations for so-called operators of ‘essential services’ (OES) and digital service providers (DSP). The original EU NIS regime has been updated since the UK regulations took effect: ‘NIS2’ had to be implemented in the EU member states by 17 October 2024; no equivalent update has so far been made to UK law. Last July, the UK government acknowledged the EU reforms and said the UK’s own regime requires “urgent update … to ensure that our infrastructure and economy is not comparably more vulnerable”.

Part of the UK NIS update will involve bringing managed service providers within the scope of the existing regulations, which impose cybersecurity standards and incident reporting obligations. The government has estimated that between 900 and 1,100 managed service providers will fall in-scope of the updated regime.

“Managed service providers (MSPs) play a critical role in the UK economy by offering core IT services to businesses,” it said. “These organisations have unprecedented access to clients’ IT systems, networks, infrastructure, and data. This makes them an attractive target for malicious actors and subject to cyber attacks, including those that resulted in impacts on clients. This has included the Cloud Hopper attack on MSPs and the attack on the Ministry of Defence’s personnel system. These highlight the vulnerabilities of MSPs and by extension, the critical services they support.”

“This measure will expand the remit of current regulations by bringing entities who provide managed services into the scope of the regulations. Placing duties on MSPs will enable us to protect a broader range of services from cyber attacks and build a better picture of the threats facing our essential services,” it said.

OES and DSPs under the NIS regime could also be subject to additional supply chain security obligations, the government said. It intends to give itself powers to write secondary legislation regarding supply chain security into the new Bill. Those regulations could, it said, contain a suite of obligations, such as contractual requirements, security checks, or continuity plans, that OES and DSPs would have to ensure were implemented within their supply chains.

The government further outlined its plans to introduce a power for regulators to identify and designate specific high-impact suppliers as ‘designated critical suppliers’ (DCS), bringing them under comparable obligations as OES and DSPs.

A broadened cyber incident reporting regime is also envisaged under the new Bill, to address existing gaps that limit oversight of cybersecurity vulnerabilities in the UK economy.

The government said: “Under the current NIS regulations, for an incident to be reportable, it must have resulted in interruption to the continuity of the essential or digital service. This is too narrow in scope and many incidents of concern are not reported. The Bill will expand this to capture incidents [that] are capable of having a significant impact on the provision of the essential or digital service, and incidents that significantly affect the confidentiality, availability, and integrity of a system. This will include the compromise of data confidentiality, spyware attacks that use firms that provide digital services (including MSPs) as a vector to access other organisations, or other incidents significantly affecting the integrity of a system.”

Under the proposals, organisations in-scope of the new incident reporting regime will also be expected to make an initial notification of incidents to regulators and the UK National Cyber Security Centre within 24 hours of becoming aware of them before following up with a more detailed incident report within 72 hours.