What do the proposed NIS regulations mean for managed service providers?

NIS regulations

As attendees of our event CyberSmart Live! will know, one of the hottest topics within the cybersecurity industry at the moment is the proposed regulatory changes for managed service providers. The Department for Science, Innovation and Technology (DSIT) is planning changes to the scope of its Network & Information Systems (NIS) regulations to include MSPS. 

So, to help you understand whether your business is affected and what you need to do, here’s a quick summary of the potential changes.

What are the changes? 

Under the proposed framework, some MSPs (more on that later) will have a legal duty to:

  • Register with the Information Commissioner’s Office (ICO)
  • Take steps to secure their networks and information systems
  • Minimise the impact of incidents on their networks and information systems
  • Report incidents to the ICO

Why does this only apply to some MSPs?

The regulations don’t apply to small and micro providers. To qualify, your business must: 

  • Employ more than 50 staff
  • Have a turnover of more than €10 million per year

On top of this, only MSPs who meet the criteria of a digital service provider (DSP) under NIS regulations need to register with the ICO. NIS defines a DSP as “providing online marketplace services, cloud computing services, online search engine services or managed services.”

What are the changes to NIS regulations for? 

Cybercriminals are targeting MSPs with increasing regularity. The risk has grown so severe that security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – felt moved to issue an official warning in 2022. 

MSPs are so attractive to hackers because they’re usually part of a supply chain and have access to clients’ networks and IT environments. And, to add the icing on the cake for any cybercriminal, MSPs typically have access to large amounts of sensitive data – everything from financial information to breakdowns of customers’ security. 

We’ve seen countless examples of attacks on MSPs that lead to a huge breach across their entire client base. The NIS regulations are an answer to this. The proposed changes represent a real attempt by DSIT better to protect MSPs and their customers from the growing threat. 

When are the regulations due to come into force?

As of 13th April 2023, the Government has confirmed that it will go ahead with the proposed reforms to amend the NIS Regulations. So, we’re expecting to see the changes come into force sometime in 2024. Although, it should be noted that this is subject to the government finding “a suitable legislative vehicle”.

Is there anything else you should know?

At this point, you’ve likely got some further questions about the proposed changes. Unfortunately, we don’t have space to cover everything in this blog. But, for more information, we recommend checking out our handy set of FAQs on the regulations. You should find everything you need to know to prepare you for the changes.

Here is a follow up video we did with the Department for Science, Innovation and Technology that goes into further detail on the proposed NIS regulations for MSPs.

Times are tough for SMEs, with many facing tough financial decisions. So, to help out, we’ve put together a step-by-step guide to cybersecurity on a budget. Read it here.

Cost of living CTA 3

CyberSmart forges new channel partnerships to reach SMEs

We are delighted to announce two exciting new partnerships this week at CyberSmart. The first with Ingram Micro Cloud, part of one of the world’s leading channel distributors (IMUK), and the second with Synaxon UK, one of Europe’s largest channel buying groups.

Through these partnerships, we are extending our reach to allow us to help many more SMEs who are struggling to balance the demands of their business with the risks of cyber security.

“The team at CyberSmart is thrilled to be teaming up with new partners to do what we do best, and that is to defend the underdogs,” says Hugh Furness, CyberSmart’s Head of Channel Strategy.

“SMEs are often neglected in cybersecurity. With a lack of resources and expertise, they are an easy target for bad actors. With the help of these partners’ help, we hope to extend our reach and foster a strong security culture across the channel.”

The streamlined CyberSmart service makes it easy for any business to achieve the UK government-backed security certifications including Cyber Essentials, Cyber Essentials Plus, and IASME-GDPR. And the prevention of cyber attack doesn’t stop at certification. A compliance software ensures every device, personal or professional, used by a business is always secure.

Timing is everything

Cyber security is more important than ever. As the UK begins to reopen and offices welcome staff back, many businesses have emerged from the crisis into a hybrid world. The mix of remote and office working adopted by many organisations brings with it new security risks.

A recent report from VMWare reveals that 91% of organisations have seen an increase in cyber attacks as a result of employees working from home. Online protection has become more important than ever before, but many businesses, especially smaller ones, still find the idea of it daunting.

“Cybersecurity is a huge issue and the importance of achieving Cyber Essentials certification and demonstrating that you are ready to protect your organisation, employees, and data, has never been greater,” echoes Mike Barron, Managing Director of Synaxon UK. “Our partnership with CyberSmart has come at exactly the right time. With more companies now operating virtually and most employees working at home, that’s becoming crucial. We’ve received an immediate and extremely positive response from Synaxon UK members who are using CyberSmart to get certified themselves and encouraging their customers to follow their lead.”

“Adding to our Cyber Security portfolio, CyberSmart aligns perfectly with our desire to create a unique environment in which our partners get the best in-house solutions, services and support,” concurs Colin McGregor, General Manager – Cyber Security, Ingram Micro UK, “We’re excited to show our partners just how we can facilitate their cyber needs, with CyberSmart no doubt contributing to this success.”

The CyberSmart team believes that every organisation should be able to easily comply with recognised standards to protect their data and infrastructure. Synaxon and IMUK will help us deliver that ability to many more businesses.

About our new partners

Ingram Micro Cloud (IMC), a division of Ingram Micro UK Ltd, was established in 2014 to help its partners realise their share of the cloud market opportunity. Ingram Micro Cloud is a master cloud service provider (mCSP), offers channel partners and enterprises access to the leading global Cloud commerce platform, expertise, solutions and enabling programmes that empower organisations to realise their potential in the digital economy. Ingram Micro Cloud is the leading Cloud aggregator in the UK and a software company that is the powering engine for the channel.

Synaxon UK was launched in the UK in 2008 and has since become firmly established as the market-leading channel services group. Synaxon is much more than a dealer buying group. It’s a thriving, dynamic and forward-thinking community that works to advance the development and growth of its members. Synaxon offer a wide range of services as well as personalised account management and business development support to help MSPs, resellers, retailers, and office products dealers thrive.