U.K. Government Proposes New Cyber Incident Reporting Regulations on MSPs

United Kingdom flag pointing London in cheap plastic globe. Shallow depth of field

The British government is introducing new mandatory reporting requirements for managed service providers (MSPs) to disclose cyber incidents.

In fact, MSPs could be fined up to £17 million ($20 million) for non-compliance, according to U.K. officials.

The Role of MSPs in the U.K.’s Security Posture

The government said on November 30 that MSPs “play a central role in supporting the UK economy.” It warned that MSPs are “an attractive and high value target for malicious threat actors and can be used as staging points through which threat actors can compromise the clients of those managed services.”

Correspondingly, the U.K. government plans introduce new MSP requirements through an update to the Network and Information Systems (NIS) Regulations. The regulations currently require essential services such as water, energy and transport to uphold security standards and notify national authorities about incidents, U.K. officials said.

The majority of the U.K.’s digital managed services — such as security monitoring, managed network services or the outsourcing of business processes — are not currently within the scope of NIS Regulations.

Paul Maddinson, director of National Resilience and Strategy for the U.K.’s National Cyber Security Centre (NCSC) described the path forward:

“I welcome the opportunity to strengthen NIS regulations and the impact they will have on boosting the UK’s overall cyber security. These measures will increase the resilience of the country’s essential services — and their managed service providers — on which we all rely.”

Digging into the Details

In regard to updating NIS Regulations, the British government proposes three “pillars” of action:

  1. Bringing additional critical providers of digital services into the U.K.’s cybersecurity regulatory framework to ensure that those providers have adequate cyber security protections in place, and can be regulated effectively and proactively
  2. Future-proofing the U.K.’s existing cyber security legislation, primarily the NIS Regulations, so that they can adapt to potential changes in threat and technological developments
  3. Standardizing the cyber security profession so that we embed consistent competency standards across the cyber profession.

As a product of the three pillars, the U.K. government recommends:

  • Expanding the scope of digital services to include managed services
  • Applying a two-tier supervisory regime for all digital service providers
  • Creating new delegated powers to enable the government to update the regulations, both in terms of framework but also scope, with appropriate safeguards
  • Creating a new power to bring certain organizations within the scope of the NIS Regulations
  • Strengthening existing incident reporting duties
  • Extending the existing cost recovery provisions to allow regulators to recover the entirety of implementation costs from the companies that they regulate
Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.