BCL’s Julian Hayes and Andrew Watson’s article ‘’Preparing for the worst but operating at our best – Reform of the NIS Regulations’’ has been published by The Barrister. In the article they discuss the regulations and look into the challenges for the reforms in the face of increased online threats.

Here is a short extract from the article*. If you wish to read the full article, please visit The Barrister Magazine website.

”After keeping trains running to and from besieged towns and distributing humanitarian aid despite great personal risk, few would doubt the courage of the drivers of Ukrainian Railways since the invasion of their country. But their efforts could have been thwarted and the loss of life far greater had the ‘wiperware’ – malware installed by hackers and designed to incapacitate the rail network – not been neutralised before the Russian assault. Hostile states, though, are not the only threat actors menacing electronic communications networks supporting essential services across the world, with cybercrime rates in general reported to have doubled since 2019, and ransomware tripling since 2020. Targets have included hospitals, schools and local authorities. In the face of increased online threats, the UK government is seeking to bolster the nation’s cyber defences, publishing the National Cyber Strategy 2022 and enhancing the four year old Network and Information Systems Regulations (‘NIS Regulations’) to ensure the UK remains, in the government’s words, “confident, capable and resilient in this fast-moving digital world.”

National Cyber Strategy

Developed against the backdrop of the 2020 SolarWinds and 2021 Colonial Pipeline cyber-breaches in the US which respectively compromised secure government networks and fuel supplies to the US east coast, the UK’s National Cyber Strategy recognised the significant progress towards cyber resilience made by the UK in the past decade. But whilst celebrating the work of the National Cyber Security Centre, the much-admired scion of GCHQ, and the proliferation of cyber security guidance available to UK businesses and other organisations, the Cyber Strategy recognised the need to reduce cyber risks still further so businesses can take advantage of the economic benefits of widespread digitisation and citizens feel more secure online. That will require increased levels of cyber resilience, particularly within critical national infrastructure (‘CNI’) and to achieve it, the Cyber Strategy foreshadowed significant reform to the NIS Regulations.

The NIS Regulations

At present, the NIS Regulations apply to ‘operators of essential services’ (‘OES’), including utilities, health, transport, and to ‘relevant digital service providers’ (‘RDSPs’) including online market places and cloud computing services. They set a base level of security for network and information security systems (that is, electronic communications networks and devices which normally process digital data) used by these entities, and mandate the reporting of cyber security incidents which disrupt the continuity of service, for example, in the supply of electricity, the access to drinking water or the availability of healthcare. A government review of the NIS Regulations in May 2020 found that, while they had improved cyber-security standards of in-scope entities, there was room for improvement. Business-to-business suppliers of outsourced digital services (‘managed service providers’) such as remote security monitoring, virtual desktop providers and billing services presented a particular risk, offering an exposed flank to hackers bent on circumventing the defences raised by OES and RDSPs themselves. As a result of the review’s findings, modifications were made to the NIS Regulations in December 2020.”

*This article was first published by The Barrister Magazine on 04 May 2022. If you wish to read the full article, please visit The Barrister Magazine website.