The UK government is proposing new laws to improve MSP cybersecurity standards which involve fines of up to £17 million for those with shonky cybersecurity measures.
As part of its £2.6 billion National Cyber Strategy 2022, the government says new laws are needed “to drive up security standards in outsourced IT services used by almost UK businesses”.
It is consulting on proposals that include making improvements in the way organisations report cybersecurity incidents and reforming legislation so that it is “more flexible and can react to the speed of technological change”.
The UK Cyber Security Council is going to be granted powers to “raise the bar” and “create a set of agreed qualifications and certifications for those which work in cybersecurity and IT services”.
The government wants to update the Network and Information Systems (NIS) Regulations – which are aimed at improving the cybersecurity of companies that provide essential services such as water, energy, transport, healthcare and digital infrastructure – to include MSPs which provide “specialised online and digital services”.
All this means that MSPs will have to follow the same regulations as everyone else, which could mean fines of up to £17 million if they do not implement effective cybersecurity measures.
Under additional plans to change the NIS regulations, the government is proposing a transfer of “all relevant costs incurred by regulators for enforcing the NIS regulations from the taxpayer to the organisations covered by the legislation” which it claims will create a “more flexible finance system and reduce the taxpayers’ burden”.
It would also include large companies having to notify regulators of all cybersecurity attacks they suffer, not just those which impact their services.