What do the proposed NIS regulations mean for managed service providers?

NIS regulations

As attendees of our event CyberSmart Live! will know, one of the hottest topics within the cybersecurity industry at the moment is the proposed regulatory changes for managed service providers. The Department for Science, Innovation and Technology (DSIT) is planning changes to the scope of its Network & Information Systems (NIS) regulations to include MSPS. 

So, to help you understand whether your business is affected and what you need to do, here’s a quick summary of the potential changes.

What are the changes? 

Under the proposed framework, some MSPs (more on that later) will have a legal duty to:

  • Register with the Information Commissioner’s Office (ICO)
  • Take steps to secure their networks and information systems
  • Minimise the impact of incidents on their networks and information systems
  • Report incidents to the ICO

Why does this only apply to some MSPs?

The regulations don’t apply to small and micro providers. To qualify, your business must: 

  • Employ more than 50 staff
  • Have a turnover of more than €10 million per year

On top of this, only MSPs who meet the criteria of a digital service provider (DSP) under NIS regulations need to register with the ICO. NIS defines a DSP as “providing online marketplace services, cloud computing services, online search engine services or managed services.”

What are the changes to NIS regulations for? 

Cybercriminals are targeting MSPs with increasing regularity. The risk has grown so severe that security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – felt moved to issue an official warning in 2022. 

MSPs are so attractive to hackers because they’re usually part of a supply chain and have access to clients’ networks and IT environments. And, to add the icing on the cake for any cybercriminal, MSPs typically have access to large amounts of sensitive data – everything from financial information to breakdowns of customers’ security. 

We’ve seen countless examples of attacks on MSPs that lead to a huge breach across their entire client base. The NIS regulations are an answer to this. The proposed changes represent a real attempt by DSIT better to protect MSPs and their customers from the growing threat. 

When are the regulations due to come into force?

As of 13th April 2023, the Government has confirmed that it will go ahead with the proposed reforms to amend the NIS Regulations. So, we’re expecting to see the changes come into force sometime in 2024. Although, it should be noted that this is subject to the government finding “a suitable legislative vehicle”.

Is there anything else you should know?

At this point, you’ve likely got some further questions about the proposed changes. Unfortunately, we don’t have space to cover everything in this blog. But, for more information, we recommend checking out our handy set of FAQs on the regulations. You should find everything you need to know to prepare you for the changes.

Here is a follow up video we did with the Department for Science, Innovation and Technology that goes into further detail on the proposed NIS regulations for MSPs.

Times are tough for SMEs, with many facing tough financial decisions. So, to help out, we’ve put together a step-by-step guide to cybersecurity on a budget. Read it here.

Cost of living CTA 3