Small and medium-sized managed service providers (MSPs) could find themselves subject to the Network and Information Systems Regulations under government plans to tighten cybersecurity laws – and have got three months to object to the tax hikes that will follow.
Plans to amend the EU-derived Network and Information Systems Regulations (NIS) are more likely than ever to see SMEs brought into scope, as The Register reported last year when these plans were first floated.
NIS is the main law controlling security practices in the UK today. Currently a straight copy of the EU NIS Directive, one of the benefits of Brexit leapt upon by the Department for Digital, Culture, Media and Sport (DCMS) is the new ability to amend NIS’s reporting thresholds.
Bringing MSPs under NIS “would provide a baseline for expected cybersecurity provision and better protect the UK economy and critical national infrastructure from cyber security threats,” as UK.gov said in a consultation document issued on Wednesday. Its plans are for MSPs, currently not subject to NIS, to be brought into the fold. This includes defining what an MSP does, legally, and possibly ending NIS’ existing exemption on SMEs.
“The government recognises the strong need to minimise regulatory burden on small and micro-businesses particularly in a rapidly evolving industry such as this. However, recent incidents have highlighted the scale of risk that can be associated with managed service providers – regardless of their size,” said the consultation document.
In essence, if an “operator of essential services” or a critical national infrastructure business outsources something to your MSP, prepare for NIS compliance.
And the flip side: money
Enforcement of NIS is carried out by the ICO, which is getting a funding bonus if Parliament nods through the NIS amendments. Initially coming from general taxation, in time DCMS wants to “extend the existing cost recovery provisions to allow regulators (for example, Ofcom, Ofgem, and the ICO) to recover the entirety of reasonable implementation costs from the companies that they regulate.”
SMEs across the whole British economy are already familiar with this kind of “cost recovery” activity through stealth taxes such as the ICO’s data protection registration fee.
Andy Kays, chief exec of a managed detection and response firm in London called Socura, agreed that “further market intervention is required to help raise the bar to protect the UK economy.”
“However,” he added, “I do believe that interventions like Cyber Essentials, GDPR and NIS have raised the profile of cyber and data security in the UK, and have improved understanding and investment where they are applicable among businesses.”
Jake Moore, global cybersecurity advisor with Slovakian infosec firm ESET, also agreed, saying in a statement: “Essential services are desperately in need of better protection so these new laws will help direct businesses into a more secure offering with the help and direction required. Laws often may seem like they do not go far enough but digital crime is fast paced and the goal posts constantly move making such plans difficult to project or even become out of date by the time they land.”
The consultation closes on 22 April. As well as questions about money, DCMS is also asking about whether the regs should be extended to SMEs and how detailed they ought to be. Have your say via theses 66 pre-formatted questions. ®