Navigating the Expanded NIS Regulations: Impacts and Next Steps for GRC Professionals

The UK government’s Cyber Security and Resilience Bill was first announced in July 2024. The Network and Information Systems (NIS) Regulations were significantly updated by expansion on their scope. 

Key among the proposed changes is bringing Managed Service Providers (MSPs) under regulation due to their critical role in protecting clients’ IT infrastructure. An MSP is a company that helps other businesses take care of their IT needs, effectively making them a ‘tech support for hire.’ 

The Government recently shared more detail about what the bill will include, and this article explores the rationale behind these regulatory changes, their impact on governance, risk, and compliance (GRC) practices, potential challenges, and offers actionable guidance for organisations preparing for compliance. 

Expanding the NIS Scope: A Strategic Move 

The existing NIS Regulations, introduced in 2018, primarily cover Operators of Essential Services (OES). These include sectors such as energy, transport, and healthcare providers, along with select digital service providers like online marketplaces and cloud services. Under the proposed expansion, more digital service providers, especially MSPs, will be directly regulated due to their substantial access to and influence over clients' critical IT infrastructure. 

Additionally, the revised regulations will introduce mandatory cybersecurity obligations into supply chains. Regulators will be empowered to designate certain suppliers as "critical." These entities will need to meet specific cybersecurity standards and incident reporting requirements. This strategic expansion reflects lessons learned from the EU’s NIS2 Directive, where similar measures were adopted to address systemic supply chain risks and vulnerabilities highlighted by incidents like the Kaseya and SolarWinds cyberattacks. 

• Implications for Governance, Risk, and Compliance 
  Expanding the NIS scope brings significant implications for organisations in both regulated and newly included sectors. 
• Governance and Leadership Accountability 
  Cybersecurity responsibilities will increasingly rest at board and senior management levels, requiring robust oversight frameworks. Organisations should clarify leadership roles, possibly assigning dedicated cybersecurity responsibilities within the executive team or board committees to ensure regulatory compliance. 
• Risk Management Enhancements 
  Risk assessments must now explicitly address third-party cybersecurity risks. Organisations should proactively map dependencies, conduct rigorous supplier assessments, and establish enhanced vendor risk management practices. MSPs, as regulated entities, will need comprehensive internal risk management aligned with frameworks like the NCSC’s Cyber Assessment Framework (CAF).
• Compliance and Incident Reporting 
  Organisations newly regulated under NIS must implement effective cybersecurity policies, procedures, and robust incident reporting mechanisms. Notably, tighter incident reporting timelines, potentially within 24 hours of identifying significant cyber incidents, will require streamlined internal processes. Clear documentation and preparedness for regulatory audits will be essential. 
• Cultural and Operational Adjustments 
  Meeting these enhanced standards involves shifting organisational culture toward heightened cybersecurity awareness and accountability across all staff levels. This includes improved incident readiness, comprehensive training programs, and the establishment of a security-focused internal culture. 

Potential Risks and Challenges 

Organisations face potential challenges while aligning with the updated NIS framework: 

• Increased Compliance Burden: Newly regulated entities, particularly SMEs and smaller MSPs, may find compliance requirements resource intensive. 
• Definitional Ambiguities: Clear definitions of MSPs and "critical suppliers" might initially pose challenges, potentially complicating compliance efforts. 
• Supply Chain Coordination: Ensuring supplier cybersecurity compliance introduces complexity, especially when managing international or multi-client suppliers. 
• Regulatory Overlap: Organisations operating across jurisdictions or multiple regulatory frameworks may experience fragmented compliance obligations. 
• Future Regulatory Evolution: The flexibility of the proposed bill means Organisations must continually monitor evolving requirements, preventing a static compliance approach. 

Actionable Next Steps for Organisations 

To proactively navigate the expanded NIS Regulations, Organisations should take the following, strategic steps: 

1. Scope Determination 
   Conduct internal assessments to identify if your organisation or suppliers fall under the expanded regulations, clarifying your compliance obligations. 
2. Governance Enhancement 
   Engage senior leadership early and establish clear cybersecurity accountability, updating governance documents accordingly. 
3. Strengthened Risk Management 
   Incorporate third-party and supply-chain risks explicitly into risk assessments. Establish or reinforce vendor risk management frameworks. 
4. Updated Policies and Procedures 
   Revise or create comprehensive cybersecurity policies, ensuring they address incident reporting obligations and supply-chain security expectations. 
5. Training and Awareness 
   Develop targeted cybersecurity training programs for employees and management, emphasising incident response processes, compliance responsibilities, and a shared culture of cybersecurity awareness. 
6. Regulatory Engagement 
   Stay informed through regular engagement with regulatory bodies and industry groups to receive timely updates and best practices. Actively participate in consultations to help shape practical and manageable compliance expectations. 
7. Continuous Compliance Monitoring 
   Establish internal mechanisms for continuous compliance monitoring, conducting regular self-assessments or audits to identify and address gaps proactively. 
8. Incident Readiness 
   Prepare detailed incident response plans, ensuring teams understand incident-reporting criteria and timelines. Regular drills or tabletop exercises focusing on rapid detection, assessment, and reporting of cybersecurity incidents are highly recommended. 

Conclusion 

The UK’s Cyber Security and Resilience Bill significantly reshapes the GRC landscape by extending NIS regulatory obligations to include MSPs and critical suppliers. While the expanded framework presents compliance challenges, Organisations that proactively embrace these changes, strengthening governance oversight, enhancing risk management, and fostering a robust cybersecurity culture, will be better positioned to mitigate risks, demonstrate regulatory readiness, and protect their businesses from evolving cyber threats.