Written by: Haim Ravia, Dotan Hammer
The UK Parliament has begun deliberations on the Cyber Security and Resilience (Network and Information Systems) Bill. The proposed UK act aims to improve the security and resilience of network and information systems relied upon for essential activities, primarily through amendments to the existing Network and Information Systems Regulations 2018 (the NIS Regulations).
The bill’s operative parts begin with amendments to the NIS Regulations to expand their application and strengthen compliance and enforcement measures. New categories of regulated entities include data centers (as part of data infrastructure) and large load controllers in the electricity subsector, designated as operators of essential services. The Bill also introduces specific regulations for Managed Service Providers (RMSPs) and establishes them as relevant managed service providers with duties to manage risks. Furthermore, it allows regulators to designate Critical Suppliers to ensure the most important suppliers to essential and digital services are subject to mandatory cyber requirements.
The Bill introduces new duties which include timely incident reporting (initial notification within 24 hours, full notification within 72 hours) and customer notification duties for certain incidents.
Maximum financial penalties are increased, with the higher maximum penalty reaching £17,000,000 or 4% of an undertaking’s turnover. Enforcement authorities are also given powers to impose periodic charges for cost recovery.
The Bill also confers powers on the Secretary of State to define strategy and create new regulations concerning system security and resilience. This includes designating a Statement of Strategic Priorities, which regulatory authorities must seek to achieve. The Secretary of State can make Regulations to impose comprehensive requirements on regulated persons or those providing activity-critical supplies, backed by powers of enforcement, inspection, sanctions, and higher financial penalties (up to £17,000,000 or 10% of turnover). A Code of Practice may also be issued, and the Secretary of State must report on network and information systems legislation at least once every five years.
Under the Bill, the Secretary of State is granted powers to issue legally binding Directions to regulated persons or regulatory authorities where a security or operational compromise poses a risk to national security. Critically, compliance with national security direction takes priority over conflicting regulatory requirements.
Click here to read the UK Cyber Security and Resilience (Network and Information Systems) Bill.
