Stuart Davey of Pinsent Masons, the law firm behind Out-Law, was commenting after the first post-implementation review was carried out of the NIS Regulations by the UK government.
The NIS Regulations implement the EU's NIS Directive and took effect in May 2018.
The NIS rules are designed to ensure critical IT systems in central sectors of the economy, such as transport, energy, water, health and digital infrastructure, are secure. So-called 'operators of essential services' are subject to the strictest NIS requirements, with a lighter touch framework applicable to online marketplaces, online search engines and cloud computing service providers, collectively referred to in the legislation as 'digital service providers' (DSPs). Both operators of essential services and DSPs face obligations to keep their networks and information secure and to notify certain security incidents to 'competent authorities', such as the Information Commissioner's Office (ICO) in the case of DSPs.
According to the government's review, "it is too early in the implementation to judge whether the full longer term benefits [of the NIS Regulations] have been realised". However, the report said that there is initial evidence that "advancements are being made as a result of the NIS Regulations" and that the government expects these "to lead to a longer-term improvement in the security of network and information systems, raising their resilience".
Specific improvements recognised by many organisations surveyed as part of the government's review include increased prioritisation of security within senior management, strengthened security policies and processes, and the bolstering of procedures for recovering from cybersecurity incidents.
Room for "further improvement" was, however, identified by the review.
"Initial assessments, submissions from competent authorities, and survey data suggest that in many sectors improvement is still required if the security and resilience of networks and information systems is to match the scale of the threat," the government's report said.
Davey said: "The introduction of the NIS regime flew under the radar, as it was overshadowed by GDPR coming into force around the same time. This review has identified that organisations in scope of NIS were largely motivated to improve network and information systems security prior to the introduction of the NIS Regulations, principally because of the need to comply with GDPR. Whilst the review notes that organisations may have continued to improving network and information systems security even had the Regulations not been introduced, our experience is that a large number of organisations have taken impressive measures to improve their network security, driven by the NIS requirements. The Regulations therefore form an important tool with which to help organisations improve their cybersecurity. This, no doubt, remains an ongoing journey."
"It is not just organisations which could do more to enhance their cyber readiness; our experience in the past two years since the implementation of the NIS Regulations is that many competent authorities could do more in order to provide the most effective regulatory framework for cyber security improvements. Competent authorities could ensure they are sufficiently resourced and publish more sector-specific guidance on measures to help organisations improve their cyber readiness, and to help organisations ensure that they are NIS compliant," Davey said.
The European Commission is obliged under the NIS Directive to review implementation of the Directive on an EU-wide level by May 2021. A similar review clause was inserted into the UK's NIS Regulations to precede the EU review next year. The next UK review of the NIS Regulations is due to take place in 2022.