The UK’s cybersecurity laws will be updated to require outsourced IT providers to meet security standards as part of efforts to better protect supply chains, the Government has announced.
The Network and Information Systems (NIS) Regulations will be updated so third-party firms providing IT services to businesses will be compelled to have effective cybersecurity measures in place to protect them and their client’s data, with fines for non-compliance.
Those rules already apply to UK companies providing critical services in a range of sectors including energy, water and transport, but will now bring outsourced firms into scope as well.
The decision comes after a consultation and in the wake of increasing levels of cyber attacks targeting critical infrastructure in countries around the world as a way of inflicting substantial damage on entire nations.
The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states
Cyber minister Julia Lopez
The Government said it has noted the increase in attacks, which also target supply chains as a way of compromising potentially thousands of organisations at the same time.
Earlier this month, the National Cyber Security Centre (NCSC), part of GCHQ, published its annual review, which said the cyber security threat to the UK has “evolved significantly” over the past year – with 18 cybersecurity incidents requiring a nationally co-ordinated response.
These include attacks on an NHS supplier and a water utility company, it said.
“The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states,” cyber minister Julia Lopez said.
“We are strengthening the UK’s cyber laws against digital threats.
“This will better protect our essential and digital services and the outsourced IT providers which keep them running.”
The Government said the updates to the regulations will be made as soon as parliamentary time allows, and will also include measures that require firms to improve cyber incident reporting to regulators.