UK MSPs Face Strict New Cyber Regulations

The U.K. government will classify managed service providers (MSPs) as critical service providers to try to stop supply chain attacks.

The government announced Wednesday it will strengthen the U.K.’s Network and Information Systems (NIS) regulations. The NIS regulations were established in 2018. The goal was to improve the cybersecurity of firms providing critical services, energy companies and the NHS.

The U.K. government said MSPs are also “key to the functioning of essential services that keep the UK economy running.”

The changes mean MSPs will now face fines of up to £17 million (US $20.8 million) if they fail put in place effective cybersecurity measures.

The U.K. government cited high-profile attacks such as Operation CloudHopper, which targeted MSPs and compromised thousands of organizations. It said the U.K.’s cyber laws need to be strengthened. This is to “continue to protect vital services and the supply chains they rely on.”

UK Cyber Minister Julia Lopez

“The services we rely on for health care, water, energy and computing must not be brought to a standstill by criminals and hostile states,” said U.K. cyber minister Julia Lopez. “We are strengthening the U.K.’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”

Industry Reaction

Other changes include requiring essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service, or which could have a high risk or impact to their service. This could even be if they don’t immediately cause disruption.

The U.K. government said the updated rules will allow regulators to establish a cost recovery system for enforcing the NIS regulations that is more transparent. It will also consider the wider regulatory burdens, company size, and other factors “to reduce taxpayer burden.”

Paul Maddinson is director of national resilience and strategy at the National Cyber Security Centre (NCSC). He said he welcomed the changes to the regulations.

“These measures will increase the resilience of the country’s essential services – and their managed service providers – on which we all rely,” said Maddinson.

Carla Baker, senior director of public policy U.K. & Ireland, Palo Alto Networks, also weighed in. She said the vendor welcomed the opportunity to engage with the U.K. government. She said it was developing “guidance for industry to enhance cyber resilience and combat the risk that malicious actors pose to the U.K.’s national security.”

U.K. MSPs broadly welcomed the proposed changed during the consultation period in 2021. Comments included that the changes were “a step in the right direction.”