Can New Laws Boost UK’s Cyber Resilience?

The UK’s Department for Digital, Culture, Media & Sport says the proposed laws are “crucial to boosting the growth of the nation’s £150.6 billion digital sector”.

The UK’s Department for Digital, Culture, Media & Sport (DCMS) has recently laid out a series of new, suggested laws to help strengthen the nation’s cybersecurity standards. A facet of the government’s National Cyber Strategy 2022, the primary goal of these proposed laws was to help the UK strengthen the resilience of at-risk businesses to digital attack.

Research conducted by the DCMS in 2021 was cited as a major driver behind these new laws, alongside recent major data breaches in the US such as Facebook in April and Colonial Pipeline in May. They stated the proposed laws were “crucial to boosting the growth of the nation’s £150.6 billion digital sector”. Stakeholders in affected firms are expected to respond to the twin proposals, one for new legislation and one for standardising embedding and pathways, by 10 April 2022 and 20 March 2022 respectively.

What’s Happening?

Part of this proposal included expanding the powers of the UK Cyber Security Council to, in their words, “raise the bar and create a set of agreed qualifications and certifications so those working in cybersecurity can prove they are properly equipped to protect businesses online”. Established in March of 2021 as an independent, self-regulatory body, the Council’s stated mission is to develop national standards for the cybersecurity industry. Under the suggested laws, the Council would possess the power to link recognised job titles to extant certifications, meaning a potential cybersecurity employee would need to measure up to Council-approved competency standards to use specific job titles.

The DCMS also wants to hold larger companies to a higher reporting standard, requiring they “[report] to regulators such as Ofcom, Ofgem and the ICO, including a requirement to notify regulators of all cybersecurity attacks they suffer, not just those which impact their services”. Companies who provide “the most critical digital service[s] in the economy” would be required to “demonstrate proactively they are following NIS Regulations to the ICO,” while smaller service providers would be given a lighter touch by regulators.

Updating the country’s Network and Information Systems (NIS) Regulations was another major aspect of the proposal. Created in 2018, the NIS Regulations are directed toward enhancing the cybersecurity of companies who provide essential services like infrastructure, healthcare and utilities. In the new laws, the scope of the regulations would be expanded to include Managed Service Providers (MSPs). MSPs are defined in the proposal as companies who “provide specialised online and digital services” including “security services, workplace services and IT outsourcing”. Essentially, these are the companies you would outsource certain essential functions of your own business to if you didn’t have the budget or expertise to fill those roles in-house. Major players in the scene include IBM, Accenture and the UK’s Computacenter. Certain online services like search engines and cloud computing were already subject to the regulations.

Included in the proposal was a plan to “transfer all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the taxpayers’ burden”. This would, in theory, provide negative incentive to companies operating within NIS regulations to maintain compliance. The DCMS additionally expressed a desire to “future-proof” NIS regulations by providing the government with the ability to update and expand the scope further if necessary.

What Could These New Laws Mean?

In theory, these ideas are good. Regulatory organisations like the Cyber Security Council need actual teeth and powers in order to accomplish anything of note, and adding MSPs to the scope of NIS regulations is a step that should absolutely be taken, given how many companies utilise their services and how they function as another potential point of entry to major corporations by hackers. Holding companies to higher reporting standards is also wise. Companies whose services impact the general population as many in the digital sector do should be offering fast, accurate reports when data breaches occur.

And data breaches are occurring in the UK. According to DCMS research covering data breaches from March 2020 to March 2021, 39% of businesses in the nation had suffered a data breach, alongside 26% of charities. With so many in the UK working from home and using personal devices as part of their work, securing the digital environments we work in is all the more important. A 2021 Statista report revealed that 5.6 million people worked from home in 2020.

However, these proposals are just that: proposals. The legislation hasn’t even been introduced to Parliament yet, and the very companies these new laws are meant to police are consulting on the proposals. How much of the substance of these laws and standards will be changed to the benefit of those stakeholders before even going into the political quagmire that is a national legislative body? How much more will they be changed after going through Parliament, if they’re passed at all?

Overall, these proposals are good, but how they will tangibly impact the UK’s burgeoning digital sector will be more apparent once the requested consultation responses start trickling in in the spring.

Zephin Livingston
Zephin Livingston
Zephin Livingston is a content writer for eWeek, eWeek UK, IT Business Edge, and SoftwarePundit with years of experience in multiple fields including cybersecurity, tech, cultural criticism, and media literacy. They're currently based out of Seattle.
Get the Free Newsletter
Subscribe to Techrepublic UK for weekly updates from Techrepublic and eWEEK on the latest in UK top tech news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Techrepublic UK for weekly updates from Techrepublic and eWEEK on the latest in UK top tech news, trends & analysis
This email address is invalid.

Popular Articles