BCL’s Julian Hayes and Andrew Watson discuss the NIS Regulations with The Barrister Magazine

BCL’s Julian Hayes and Andrew Watson discuss the NIS Regulations with The Barrister Magazine

BCL’s Julian Hayes and Andrew Watson’s article ‘’Preparing for the worst but operating at our best – Reform of the NIS Regulations’’ has been published by The Barrister. In the article they discuss the regulations and look into the challenges for the reforms in the face of increased online threats.

Here is a short extract from the article*. If you wish to read the full article, please visit The Barrister Magazine website.

”After keeping trains running to and from besieged towns and distributing humanitarian aid despite great personal risk, few would doubt the courage of the drivers of Ukrainian Railways since the invasion of their country. But their efforts could have been thwarted and the loss of life far greater had the ‘wiperware’ – malware installed by hackers and designed to incapacitate the rail network – not been neutralised before the Russian assault. Hostile states, though, are not the only threat actors menacing electronic communications networks supporting essential services across the world, with cybercrime rates in general reported to have doubled since 2019, and ransomware tripling since 2020. Targets have included hospitals, schools and local authorities. In the face of increased online threats, the UK government is seeking to bolster the nation’s cyber defences, publishing the National Cyber Strategy 2022 and enhancing the four year old Network and Information Systems Regulations (‘NIS Regulations’) to ensure the UK remains, in the government’s words, “confident, capable and resilient in this fast-moving digital world.”

National Cyber Strategy

Developed against the backdrop of the 2020 SolarWinds and 2021 Colonial Pipeline cyber-breaches in the US which respectively compromised secure government networks and fuel supplies to the US east coast, the UK’s National Cyber Strategy recognised the significant progress towards cyber resilience made by the UK in the past decade. But whilst celebrating the work of the National Cyber Security Centre, the much-admired scion of GCHQ, and the proliferation of cyber security guidance available to UK businesses and other organisations, the Cyber Strategy recognised the need to reduce cyber risks still further so businesses can take advantage of the economic benefits of widespread digitisation and citizens feel more secure online. That will require increased levels of cyber resilience, particularly within critical national infrastructure (‘CNI’) and to achieve it, the Cyber Strategy foreshadowed significant reform to the NIS Regulations.

The NIS Regulations

At present, the NIS Regulations apply to ‘operators of essential services’ (‘OES’), including utilities, health, transport, and to ‘relevant digital service providers’ (‘RDSPs’) including online market places and cloud computing services. They set a base level of security for network and information security systems (that is, electronic communications networks and devices which normally process digital data) used by these entities, and mandate the reporting of cyber security incidents which disrupt the continuity of service, for example, in the supply of electricity, the access to drinking water or the availability of healthcare. A government review of the NIS Regulations in May 2020 found that, while they had improved cyber-security standards of in-scope entities, there was room for improvement. Business-to-business suppliers of outsourced digital services (‘managed service providers’) such as remote security monitoring, virtual desktop providers and billing services presented a particular risk, offering an exposed flank to hackers bent on circumventing the defences raised by OES and RDSPs themselves. As a result of the review’s findings, modifications were made to the NIS Regulations in December 2020.”

*This article was first published by The Barrister Magazine on 04 May 2022. If you wish to read the full article, please visit The Barrister Magazine website.

Julian Hayes is a partner specialising in corporate and financial crime, computer misuse offences, surveillance and data protection law. He advises individuals and corporates in relation to fraud and corruption investigations by the SFO, enforcement actions by the FCA (insider dealing and market abuse) and offences under the customs and excise legislation prosecuted by HMRC. As well as expertise in relation to cybercrime, Julian also specialises in advising data controllers and others on the provisions of the Data Protection Act 2018 and GDPR (including breach reporting), and Communication Service Providers in relation to their obligations under the Investigatory Powers Act 2016 and its associated Codes of Conduct. His work encompasses internal investigations, extradition (including Interpol Red Notices), ancillary matters such as judicial review, restraint and confiscation, mutual legal assistance, Norwich Pharmacal applications in the High Court and defending complaints against corporates for breaches of the OECD’s Guidelines for Multinational Enterprises.

Andrew Watson is a trainee solicitor at BCL. Since joining the firm in 2018, Andrew has been involved in many of BCL’s practice areas including: fraud, bribery, sanctions, money laundering and HMRC investigations and enquiries. Much of his work involves the Proceeds of Crime Act 2002 and the money laundering regulations, with examples ranging from the submission of suspicious activity reports to contesting applications for account freezing and forfeiture orders (AFFOs). He has also worked on cases involving Interpol Red Notices, extradition and applications for committal for contempt of court.

Related articles