In August 2023, the UK Government published its 2023 National Risk Register (“the Risk Register”), listing the 89 main publicly-acknowledged risks facing the UK.
Cyber-attacks on gas infrastructure, electricity infrastructure, civil nuclear, fuel supply infrastructure, the health and social care system, the transport sector, telecommunications systems and one or more UK retail banks are cited as key risks in the report.
Cyber-related risks therefore feature prominently and given the volume of cyber-attacks on critical national infrastructure globally, the UK Government has confirmed its intention to revise the cyber security obligations contained in the Network and Information Systems (“NIS”) Regulations 2018. However, in the absence of a draft of the UK equivalent of the EU’s “NIS2” Directive, organisations currently have only the material which the NIS Competent Authorities have published (and updated) to indicate what Critical National Infrastructure (CNI) organisations must do.
A close focus on energy security
One of the key findings in the Risk Register was that energy security specifically was a “rising risk” and, in particular, the grading of three major risks, including “disruption of energy supplies”, previously omitted from the report, have now been made public.
This increased transparency followed previous criticism of “unacceptable and unnecessary level of secrecy” by the House of Lords select committee on risk assessment and risk planning. Some risks are still omitted from the document on national security grounds but it is likely that some of those will also be cyber-related in their nature.
Delivering on the commitment to revise the UK NIS Regulations 2018
Following a consultation that began in January 2022, the UK Government announced its intention to update the NIS Regulations 2018 to improve the UK’s cyber resilience.
The UK’s exit from the EU means that the pressure to ensure harmonisation of measures across EU members states does not apply in the same way and there have been other pressing political and legislative issues for the government to address in the meantime.
Whilst the UK has not immediately followed in the NIS2 footsteps of the EU, the increase in cyber risk as highlighted in the 2023 National Risk Register, the UK Government has nevertheless kept the topic on the legislative agenda; as evidenced by answers to post-consultation follow-up questions being provided in the House of Commons earlier in 2023 and in the House of Lords in both March and June 2023.
Competent Authority actions
Whilst the UK Government will be the primary driver of change, NIS Competent Authorities have also sought to respond to the increased threat levels in their relevant sectors. Some recent examples are:
As the designated co-competent authority with Department for Energy Security and Net Zero (formerly BEIS) for the Downstream Gas and Electricity sectors in Great Britain, Ofgem has also demonstrated the seriousness with which they approach to the topic of cyber by the appointment of Stuart Okin as a member of its Senior Leadership Team on 16 June 2023.
Having joined Ofgem in 2019 and tasked with setting up its Cyber Regulatory function, Odin oversaw the implementation of Downstream, Gas & Electricity Network & Information Systems (NIS) compliance frameworks, as well as technical guidance for RIIO Price Control investment.
In April 2022, Ofgem published comprehensive NIS Guidance for Downstream Gas and Electricity Operators of Essential Services in Great Britain, aiming to assist OES in performing their regulatory duties and in continually managing security and resilience of relevant networks and information systems. Guidance on enforcement and the penalty policy became available in December 2022. Ofgem continues to consult with OES on the topic, having sought input on NIS Reporting in February 2023, specifically on revised versions of the reporting templates to improve the reporting experience. This was followed, in 17 May 2023, with the publication of a decision in to adopt revised versions of the reporting templates.
Similarly, in May 2023, Ofcom, as the competent authority, for companies in the digital infrastructure subsector, published their decision to revise their guidance to OES within the digital infrastructure subsector.
This included a reduction in incident reporting thresholds: the impact on consumers needed for an incident to be reportable is now lower. This decision was made in response to the effects of coronavirus, and the added importance of digital providers since the last version published in 2018.
Nuclear cyber security obligations are specifically carved out of the NIS Regulations 2018 and it remains to be seen whether the UK will choose to update the Nuclear Industries Security Regulations 2013 in order to deliver on the 2022 Civil Nuclear Cyber Security Strategy. To date, no announcement or consultation process has been materialised.
Accordingly, whilst to-date no fines have been issued under the NIS Regulations 2018, organisations that are an OES, and their NIS Responsible Officer (NRO) in particular, should pay close attention to both the UK Government’s actions and those of their relevant competent authority (or authorities). Organisations should take steps to build their resilience, enhance their incident response planning so that they can act swiftly and appropriately in the event of an incident to mitigate harm and ensure that they can explain their choices in relation to risk management in the event of disruption.
For further information, please contact:
Ridvan Canbilen, Herbert Smith Freehills
 https://questions-statements.parliament.uk/written-questions/detail/2023-01-11/120970, https://questions-statements.parliament.uk/written-questions/detail/2023-03-28/hl6923 and https://questions-statements.parliament.uk/written-questions/detail/2023-06-07/hl8321