UK Expands Information Security Regulations to Cover MSP

13th February 2023

The UK's Department for Digital, Culture, Media & Sport has announced major reforms to the country's Network and Information System (NIS) Regulations to increase security standards and reduce the risk of cyber attacks. Originally introduced in 2018 to comply with EU laws, the NIS Regulations currently focus on the security of essential services and digital service providers (DSPs), such as online marketplaces and cloud computing services. The recent reforms will expand the definition of DSPs to include managed service providers, covering a broad range of IT-related services including remote security monitoring, digital ticketing, and billing.

The government also plans to improve cyber incident reporting to regulators, establish a cost recovery system for enforcing the NIS regulations, and give itself the power to amend the regulations in the future. The Information Commissioner will adopt a more risk-based approach to regulating digital services. The UK government intends to introduce the changes as soon as parliamentary time allows. The EU is also strengthening its own network and information security regime through the recently enacted Network and Information Security Directive (NIS2) which must be transposed into national law by October 2024. This means that DSPs operating in the UK and EU will have to manage two similar, but not identical, regulatory regimes.

Expanding the NIS Directive rules to cover managed service providers is a precaution against supply chain attacks, but it could prove costly to MSPs and potentially passed on to customers. The proposal was prompted by a recent increase in supply chain attacks, where hackers target software and service providers to reach their network of customers. MSPs have become a prime target for these attacks as organisations have become increasingly reliant on them since the start of the pandemic. The increased costs to MSPs could also result in reduced profitability, which could in turn lead to MSPs cutting back on other services or even reducing the quality of their offerings. This could also result in a reduced willingness of MSPs to serve certain customers or industries that are considered high-risk or have more stringent security requirements. In short, the expansion of NIS Directive rules to cover MSPs is likely to result in increased costs for both MSPs and their customers. The exact impact will depend on a number of factors, including the specifics of the rules, the size and complexity of the MSP's operations, and the nature of the services they provide. However, it's important to note that the increased costs may be necessary to ensure that MSPs can better protect their customers from supply chain attacks, which have become increasingly common in recent years.

The UK government's expansion of the NIS Regulations to cover managed service providers will improve security standards and reduce the risk of cyber attacks. However, it will also come at a cost to MSPs and potentially to customers, and businesses will have to manage two similar but not identical regulatory regimes.