U.K. Government Proposes New Cyber Incident Reporting Regulations on MSPs

Credit: Getty Images

The British government is introducing new mandatory reporting requirements for managed service providers (MSPs) to disclose cyber incidents.

In fact, MSPs could be fined up to £17 million ($20 million) for non-compliance, according to U.K. officials.

The Role of MSPs in the U.K.’s Security Posture

The government said on November 30 that MSPs “play a central role in supporting the UK economy.” It warned that MSPs are “an attractive and high value target for malicious threat actors and can be used as staging points through which threat actors can compromise the clients of those managed services.”

Correspondingly, the U.K. government plans introduce new MSP requirements through an update to the Network and Information Systems (NIS) Regulations. The regulations currently require essential services such as water, energy and transport to uphold security standards and notify national authorities about incidents, U.K. officials said.

The majority of the U.K.’s digital managed services — such as security monitoring, managed network services or the outsourcing of business processes — are not currently within the scope of NIS Regulations.

Paul Maddinson, director of National Resilience and Strategy for the U.K.’s National Cyber Security Centre (NCSC) described the path forward:

“I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security. These measures will increase the resilience of the country’s essential services — and their managed service providers — on which we all rely.”

Digging into the Details

In regard to updating NIS Regulations, the British government proposes three “pillars” of action:

  1. Bringing additional critical providers of digital services into the U.K.’s cybersecurity regulatory framework to ensure that those providers have adequate cyber security protections in place, and can be regulated effectively and proactively
  2. Future-proofing the U.K.’s existing cyber security legislation, primarily the NIS Regulations, so that they can adapt to potential changes in threat and technological developments
  3. Standardizing the cyber security profession so that we embed consistent competency standards across the cyber profession.

As a product of the three pillars, the U.K. government recommends:

  • Expanding the scope of digital services to include managed services
  • Applying a two-tier supervisory regime for all digital service providers
  • Creating new delegated powers to enable the government to update the regulations, both in terms of framework but also scope, with appropriate safeguards
  • Creating a new power to bring certain organizations within the scope of the NIS Regulations
  • Strengthening existing incident reporting duties
  • Extending the existing cost recovery provisions to allow regulators to recover the entirety of implementation costs from the companies that they regulate
Return Home

1 Comment

Comment

    Mike Semel:

    This article fails to mention the exemption that will apply to a lot of MSPs.

    NIS has a general exemption for small and micro businesses. If you provide a digital service but have fewer than 50 staff and an annual turnover or balance sheet below €10 million, you are not an RDSP and therefore NIS does not apply to you.

    NIS doesn’t look at MSPs based on how many endpoints or users they support, just their staff (fewer than 50) and annual revenue or balance sheet (below €10 million). If you meet both of those conditions you are not an RDSP and not subject to NIS.

Leave a Reply

Your email address will not be published.