The UK government has announced two new consultation periods as it seeks to strengthen the nation’s cybersecurity posture. The first aims to update the Network and Information Systems (NIS) Regulations to make British businesses more resilient to cyberattacks. The second focuses on embedding new standards and career pathways across the cyber profession.
Both are open for stakeholder responses until April 10 and March 20, 2022, respectively. “The plans we are announcing today will help protect essential services and our wider economy from cyberthreats,” commented Julia Lopez, minister of state for media, data, and digital infrastructure.
UK government to update NIS Regulations, bring MSPs into scope
The NIS Regulations were introduced in 2018 to improve the cybersecurity of companies which provide essential services such as water, energy, transport, healthcare, and digital infrastructure. Under the guidelines, organisations must undertake risk assessments and put in place reasonable and proportionate security measures to protect their network, with companies that fail to meet security standards facing fines of up to £17 million. The government is seeking to amend the regulations with proposals which include:
- Expanding the scope of the NIS Regulations to include managed service providers (MSPs)
- Requiring large companies to provide better cyber incident reporting to regulators, including a requirement to notify regulators of all cybersecurity attacks they suffer
- Giving the government the ability to future-proof the NIS Regulations by updating them and, if necessary, bring into scope more organisations in the future
- Transferring all relevant costs incurred by regulators for enforcing the NIS Regulations from the taxpayer to the organisations covered by the legislation
- Updating the regulatory regime so the most critical digital service providers in the economy must demonstrate they are following NIS Regulations to the ICO
“I welcome these proposed updates to the NIS Regulations, which will help to enhance the UK’s overall cybersecurity resilience,” stated NCSC technical director Dr. Ian Levy. “These measures will ensure that cybersecurity risks are properly managed by organisations and those on whom they rely.”
UK Cyber Security Council to create cybersecurity qualifications and certifications
Along with the changes to the NIS Regulations, the UK government is also planning to introduce a set of agreed cybersecurity qualifications and certifications so those working in the sector can prove they are properly equipped to protect businesses. The move will give the UK Cyber Security Council the ability to define and recognise cyber job titles and link them to existing qualifications and certifications, making it easier for employers to identify the specific skills they need and create clearer career pathways without providing unnecessary barriers to entry and progression.
People will be required to meet competency standards set by the council, whilst a new Register of Practitioners will set out the practitioners who are recognised as ethical, suitably qualified, or senior.
Commenting on the announcement, Simon Hepburn, CEO of the UK Cyber Security Council, said: “The UK Cyber Security Council is delighted that these proposals recognise our cyber workforce lead role that will help to define and recognise cyber job roles and map them to existing certifications and qualifications. We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”