The ICO has formally welcomed the Cyber Security and Resilience Bill (the Bill) as a “meaningful and necessary update” to the UK’s existing Network and Information Systems (NIS) Regulations 2018.
The Bill expands the ICO’s remit to include relevant managed service providers (RMSPs) and “critical suppliers” in addition to the relevant digital service providers (RDSPs) currently covered. The regulator highlighted that as digital supply chains grow more complex, a proactive, risk-based oversight model is essential to prevent systemic “cascading” failures where an attack on a single provider disrupts multiple essential services through digital service interdependencies.
The aim of the Bill is to:
– Strengthen existing legislation by bringing more organisations into scope (RMSPs, data centres and critical parts of supply chains (critical suppliers designated by regulators))
– Expand the role of regulators (including the ICO) with stricter incident reporting, compliance with priority outcomes set by the Government and provisions relating to sharing information, recovering costs and enforcement
– Enable resilience by introducing the ability to adapt to new threats using secondary legislation and directing regulators to respond to imminent threats
While the ICO is eager to transition to the more proactive, risk based oversight role envisaged by the Bill, it has urged the government to provide greater clarity in secondary legislation and guidance to ensure the change in scope of the legislation (in terms of who and what is covered) is easy to understand, to help organisations comply with their obligations and avoid an unnecessary administrative burden on industry. The ICO has committed to proactively engaging with RDSPs and RMSPs to provide practical guidance and welcomes industry views on what support would be most helpful for ensuring compliance.
