Search results
Jan 22, 2021 · Global spending on cybersecurity solutions is projected to exceed $1 trillion cumulatively over the five-year period from 2017 to 2021. We must reprioritize these budgets to align with shared goals including collaborating to overpower organized cybercrime and the private-sector technology nexus with nation-state attackers. 2.
Mar 30, 2021 · One of these certifications is the Information Security System Management Professional, or CISSP-ISSMP, certification. CISSP-ISSMP verifies the certification holder excels at implementing, presenting and governing organizational information security programs.
The book provides a comprehensive overview of information systems, including topics such as data management, network systems, and business intelligence. However, I wish it expanded on enterprise application implementation and some of its nuances, like process management and user resistance.
Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. With a CISSP, you validate your expertise and become an ISC2 member, unlocking a broad array of exclusive resources, educational tools and peer-to-peer networking opportunities.
- Summary
- RPC pro forma
- 1. Scope of this review
- 2. The objectives and intended outcomes of the regulations
- 3. Assessment of proportionality for level of evidence sought
- 4. Evidence collection and methodology
- 5. Are the regulations working?
- 6. Assessment of the actual costs and benefits of the regulations
- 7. Is government intervention still required?
Introduction
The Network and Information Systems (NIS) Regulations 2018 are a set of regulations that were originally derived from an EU Directive. [footnote 1] The Regulations are in place to help ensure that the UK economy is resilient against cyber attacks by raising the level of security of providers of essential services that citizens and businesses rely on. The outcome-based nature of the Regulations allow aspects of the regulations to change and adapt in a rapidly evolving environment. This Post-Implementation Review is the second review on the NIS Regulations. The review aims to build on the evidence set out in the 2020 Post-Implementation Review in assessing how effective the Regulations have been in achieving the original objectives to date and whether those objectives remain appropriate for the UK, four years after the implementation of the Regulations domestically. This review will also set out what the costs and benefits of the Regulations have been to date, as well as setting out the limitations in what can be realistically assessed This review comes after the government has published and is consulting on a set of proposals to amend the NIS Regulations. The evidence base for these changes is based on the 2020 Post-Implementation Review, as well as early findings from this review. Having set the evidence and findings, this document will also discuss whether we should retain this EU-derived legislation following the UK’s exit from the EU, highlight areas of improvement, next steps, and how the proposed measures contribute to the objectives of the Regulations.
Background
The overarching objective of the NIS Regulations, which came into force on 10 May 2018, is to improve the security of those network and information systems that are critical to the provision of essential services and certain digital services. The Regulations set out legal measures required to boost the overall level of security of network and information systems of organisations in scope. The Impact Assessment of the NIS Regulations highlights the rationale for intervention, in addition to the objectives, costs and benefits. The UK was one of the first countries to fully transpose the EU derived NIS Directive into domestic legislation, and opted for an approach that minimised regulatory burdens on organisations in scope by not extending the Regulations to organisations covered by existing legislation that was already in place, and which was at least equivalent to the Directive. In this sense, the Finance and banking sectors were excluded from the UK transposition of the NIS Directive. The Regulations apply to Operators of Essential Services in the transport, energy, water, health, and digital infrastructure sectors as well as to relevant Digital Service Providers. The Regulations specify that - if falling within the designation thresholds - an operator of essential service or relevant digital service provider must: take appropriate and proportionate measures to ensure the security of the network and information systems used to provide their essential services, both by managing risk and by minimising impact of any disruption; notify their Competent Authority about any incident which has an adverse effect on the security of the network and information systems used to provide their essential services, according to criteria set out in incident reporting thresholds. The implementation and enforcement of the NIS Regulations is the responsibility of designated competent authorities. Regulatory activity is supported by the UK’s national technical authority, the National Cyber Security Centre (NCSC).
Key findings and conclusions
The Regulations are largely working successfully in achieving the objectives that were set out in the 2018 Impact Assessment "to prevent (where possible) and improve the levels of protection against network and information systems incidents". It is recommended that the legislation be retained. The Regulations are a vital framework in raising the wider UK resilience against network and information systems security threats, and are actively contributing to the ambitions of the National Cyber Strategy. Following our exit from the EU, the UK has the opportunity to ensure that the Regulations are tailor-made to its own needs, in line with UK national objectives and ambitions set out in the National Cyber Strategy and the Integrated Review. It has not been possible to assess how the NIS Regulations have impacted the number of incidents faced by these critical firms, as it is not possible to build a good counter-factual position as to the number of incidents that would have occurred without the Regulations. Competent authorities have nevertheless improved the cyber resilience of some critical organisations through improvement plans, suggesting that without the regulations there would be more vulnerabilities in these organisations that could be exploited and bring harm to the economy. Findings suggest that the current form of the Regulations is the most appropriate form of government intervention. Furthermore, the Regulations are proportionate and targeted and not overburdensome. Finally, cyber risks to these relevant organisations still exist, so the Regulations are very much needed to ensure that the UK can continue to increase resilience to the cyber threats it faces. However, this Review still finds room for improvement: Further work is required to ensure that the guidance makes it easy to identify whether firms are in or out of scope of the Regulations and to ensure that organisations that need to be included in the regulations are designated. There should be more done to secure the supply chains of operators of essential services, where the supplier is critical to the provision of that essential service. Competent authorities also need more resources to carry out what they deem to be an effective job of enforcing the Regulations. The Regulations are not effective at capturing the right cyber incidents that occur in the sectors regulated, work needs to be done to ensure that the right incidents are captured. DCMS needs to conduct work to assess why the enforcement regime is not being utilised where it is merited. Finally, greater consistency in regulatory implementation across sectors is required, alongside the creation of performance metrics so that we can better measure the impact and effectiveness of the Regulations.
Post Implementation Review
Sign-off for Post Implementation Review: Chief economist/Head of Analysis and Minister I have read the PIR and I am satisfied that it represents a fair and proportionate assessment of the impact of the measure. Signed: Mark Wingham (delegated by Chief Economist) Date: 14/03/2022 Signed: Julia Lopez MP, Minister for Media, Data and Digital Infrastructure Date: 25/03/2022 Further information sheet Member States transposed the Directive differently. The UK’s approach was to minimise costs to businesses where possible whilst remaining within the confines of the Directive. This meant that each proposed sector was assessed to make sure that it was not already subject to equivalent or more stringent regulatory requirements. This translated into relatively fewer sectors in scope of NIS in the UK (the banking and finance sectors already had equivalent legislation in place). Most Member States implemented a sole competent authority for NIS approach, although some others did go with multiple competent authorities like the UK. Having a single competent authority allows for greater focus and clarity on cyber security advice and guidance in some instances, but the UK approach of having multiple competent authorities for some sectors allows them to have a better breadth of knowledge in the sectors which they are responsible for.
Statutory requirements
This post-implementation review (‘PIR’) of the Network and Information Systems (NIS) Regulations 2018 is a statutory requirement, set out in Regulation 25. In accordance with Section 30(3) of the Small Business, Enterprise and Employment Act 2015, a review carried out under this regulation must, so far as is reasonable, have regard to how the underlying obligation (in this case the EU NIS Directive 2016) is being implemented in other countries which are subject to it. It also requires that, in accordance with Section 30(4) of the Small Business, Enterprise and Employment Act 2015, the review published under this regulation must, in particular: set out the objectives intended to be achieved by the regulatory provision; assess the extent to which those objectives are achieved; assess whether those objectives remain appropriate; and if those objectives remain appropriate, assess the extent to which they could be achieved in another way which involves less onerous regulatory provision.
Adhering to guidance
This PIR will follow the guidance set out in ‘Producing post-implementation reviews: principles of best practice’ produced by the Department for Business, Energy, and Industrial Strategy (BEIS) Better Regulation Executive (BRE). This review will aim to answer the following 4 questions: To what extent is the existing regulation working? Is government intervention still required? Is the existing form of government regulation still the most appropriate approach? a. If this regulation is still required, what refinements could be made? (What scope is there for simplification and/or improvements?) 4 b. If this regulation is not required, but government intervention in some form is, what other regulation or alternatives to regulation would be appropriate?
The policy cycle
To date there have been several pieces of analysis carried out on the NIS Regulations. The following documents have all been produced by DCMS: The final impact assessment, carried out in 2018; The first Post Implementation Review of the Network and Information Systems Regulations (2018), dated May 2020; and The pre-consultation impact assessment on legislative proposals to improve the UK’s cyber resilience, carried out in 2021. The pre-consultation impact assessment on legislative proposals to improve the UK’s cyber resilience looks at seven policy measures to amend the NIS Regulations. The document uses evidence from the first post-implementation review and preliminary outcomes from this review, in addition to other sources, to produce a rationale for change. As the department continues development of these policy options after the consultation, DCMS will ensure that the findings of this review are fully incorporated into the final impact assessment. The seven amendments that have been put forward in the January 2022 consultation are: expanding the scope of ‘digital services ‘ to include ‘managed services’; applying a two-tier supervisory regime for all digital service providers: a new proactive supervision tier for the most critical providers, alongside the existing reactive supervision tier for everyone else; creating new delegated powers to enable the government to update the regulations, both in terms of framework but also scope, with appropriate safeguards; creating a new power to bring certain organisations, ones that entities already in scope are critically dependent on, within the remit of the NIS Regulations; strengthening existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents; and extending the existing cost recovery provisions to allow regulators (for example, Ofcom, Ofgem, and the ICO) to recover the entirety of reasonable implementation costs from the companies that they regulate. More information can be found about these amendments in either the consultation or the cyber measures impact assessment. The research for this post-implementation review was carried out at a stage where it could be used to help develop the legislative proposals above. Evidence from the review was used to test the assertions made in the proposed amendments and in some cases found evidence that further supported the case for some of the amendments. Where the recommendation of this review is to amend the legislation, it will be stated whether this will be done by the proposed cyber security measures or whether further or different amendments are required.
Policy background: implementation of the NIS Regulations
The Network and Information Systems Regulations 2018 (NIS Regulations) came into force on 10 May 2018 and are aimed at improving the level of security of organisations that provide essential services to the UK, as well as some digital services. The NIS Regulations apply to operators of essential services in the transport, energy, water, health, and digital infrastructure services as well as to online marketplaces, online search engines, and cloud computing services (as digital service providers). As required by the NIS Regulations, the government has established a NIS national strategy, which has been embedded within the 2022 National Cyber Strategy, and which strongly influences the Regulations’ policy implementation. Authorities involved in implementation The Department for Digital, Culture, Media and Sport (DCMS) is the responsible department for the overall development, coordination, and delivery of the NIS Regulations policy, working alongside other government departments, the devolved administrations, and Competent Authorities. The Department has a responsibility to ensure that the NIS Regulations are underpinned by a wider strategic direction, to conduct post-implementation reviews of the NIS regulations and to put forward improvements (either legislative or non-legislative) for the regulations. Competent authorities are responsible for the implementation of the regulations in their sector, by assuring themselves that the regulated bodies have appropriate and proportionate measures in place, developing guidance, providing support, and responding to incident reports. In addition, competent authorities are responsible for designating any organisations that do not already qualify as NIS regulated organisations. Competent authorities are designated in the NIS Regulations under Schedule 1 and their duties and responsibilities are clearly set out in regulation 3. The competent authorities’ implementation and enforcement of the NIS Regulations, is further supported by the UK’s national technical authority, the National Cyber Security Centre (NCSC). Under the Regulations, the NCSC plays two different roles. Firstly, they are the UK’s Single Point of Contact (SPOC) for incident reporting. This means that they act as the contact point for engagement with the EU member states on NIS, where appropriate. Secondly, NCSC acts as the Cyber Security Incident Response Team (CSIRT). Once an operator has alerted their competent authority of an incident they believe to be reportable under NIS, the operator may also contact NCSC. NCSC in their role as CSIRT will provide advice and support as appropriate. In addition to these two duties set out in the legislation, the NCSC supports the wider development of cyber security policy in their role as the technical authority on cyber security. The NCSC also acts as a source of technical cyber security expertise for operators and competent authorities. Identifying organisations in scope The NIS Regulations cover the energy, transport, health, drinking water supply and distribution, and digital infrastructure sectors. These are further broken down into subsectors, details of which can be found in Schedule 1 of the NIS Regulations. Schedule 2 sets out the further sector-specific designation thresholds that operators of essential services must meet in order to qualify as a NIS organisation. Regulation 12(1) provides the definition of what is to be considered a digital service provider: organisations who provide online marketplaces, online search engines, and cloud computing services. Operators of essential services are designated “de jure” at the moment when they fulfil the thresholds, and must register themselves with their competent authority. As mentioned above, competent authorities may also specifically designate organisations that are not captured by the thresholds, but that do provide an essential service within the scope of the Regulations as described in the legislation. [footnote 2] Digital service providers are also designated “de jure” and must register with their competent authority. The NIS Regulations do not apply to digital service providers that qualify as small or micro enterprises. The 2018 Impact Assessment estimated that 611 organisations would be brought into scope of the Regulations: 432 operators of essential services and 179 relevant digital service providers. Competent authority submissions to DCMS for the Review indicated that a total of 605 organisations had been designated: 436 operators of essential services and 169 relevant digital service providers. The number of organisations designated under the NIS Regulations was estimated using information provided by competent authorities on the number of organisations they regulate. Where a Competent Authority did not provide this information figures were taken from NCSC figures, which were previously provided by competent authorities (2020). It is worth noting that recent assessments carried out by the Information Commissioner’s Office estimate that there may be up to 1,200 digital service providers that qualify for designation under the regulations and that should be registered with the Information Commissioner. Responsibilities of operators of essential services, relevant digital service providers, and Competent Authorities Operators of essential services and relevant digital service providers are required by the NIS Regulations to take appropriate and proportionate measures to ensure the security of the network and information systems used to provide their essential services. Such measures may include, but are not limited to, implementing policies and procedures to tackle incident response, designating board-level responsibility for organisations, ensuring that organisations have a good understanding of their network and information system assets, and many others. These measures are established by the relevant competent authority, and the guidance issued by them sets out what is appropriate and proportionate in this context. The NCSC has developed the Cyber Assessment Framework to assist competent authorities set target levels of cyber security in their sectors, and assess the levels of cyber security achieved by operators of essential services. The Cyber Assessment Framework is both sector-agnostic and outcome-based, and was designed to accommodate the use of a range of recognised cyber security standards. Most NIS competent authorities have chosen to use the Cyber Assessment Framework, which is now also being employed outside the NIS Regulations to improve the cyber security of a wide range of organisations that play a vital role in the day-to-day life of the UK. Incidents Operators of essential services and relevant digital service providers have a duty to notify their designated competent authority about any incident which has a significant impact on the continuity of the network and information systems used to provide their essential services, according to criteria set out in the Regulations and incident reporting thresholds. These are set by each competent authority in guidance. [footnote 3] Any incident that meets or exceeds these thresholds must be reported to the relevant competent authority no later than 72 hours after the incident was identified. Enforcement measures Competent authorities may take action against operators of essential services and relevant digital service providers. Enforcement measures include information notices (require an organisation to provide the competent authority with relevant information), inspections, enforcement notices (specifying steps that must be taken to rectify alleged failures), and penalties. Penalties are meant to be used as a last resort, in the face of significant breaches of duty or persistent refusals to comply with interventions from the competent authority. Competent authorities must serve a notice of intention to impose a penalty before issuing the final penalty, and the relevant organisation will have an opportunity to provide representations and discuss the intention of the regulator before a final penalty decision is served. There are three levels of fine bandings that can be applied. Contraventions which were not material may go up to £1 million. Material contraventions may go up to £8.5 million. And finally up to £17 million for the most severe material contraventions which the enforcement authority determines have or could have created a significant risk or impact to the regulated body’s service provision. Regulated bodies have the right to appeal to the First-tier Tribunal against designation, revocation, enforcement or penalty notice decisions made by the competent authority. [footnote 4]
Amendments to the NIS Regulations since the last PIR
Based on the recommendations of the last PIR, in 2020 the government put forward legislative amendments to the NIS Regulations, to implement the review’s recommendations. A public Call for Views on the proposed changes was published in September 2020, with the Government’s Response published in November 2020 and the changes implemented by secondary legislation via Statutory Instrument SI 2020/1245, which came into force on 31st December 2020. A Supply Chain Call for Views and its government response were published in May 2021 and November 2021 respectively. This statutory instrument made changes in the following areas, linked to the recommendations of the last Post-Implementation Review: The introduction of an independent appeals mechanism The last Review identified the need to improve the appeal mechanism. Previously, competent authorities were responsible for appointing an independent reviewer at the request of an operator of essential services or relevant digital service provider to review its designation decisions or penalty notices. Following the Review’s recommendation, the government introduced a statutory appeals process, with appeals heard by the General Regulatory Chamber of the First-tier Tribunal, adding significantly more consistency across all sectors, relying on established judicial processes and which is expected to lead to much lower costs for operators and competent authorities. Changes to regulatory enforcement powers The enforcement regime was broadly identified as needing refinement, with a particular focus on enforcement and information notices, clarifications in respect to civil liabilities, and a broader need to make the legislation clearer.The following amendments were introduced: A more effective enforcement regime : Information notices were amended to allow their use in identifying whether cyber incidents affected the security of networks and information systems, in addition to their previous use. Powers of inspection were also broadened to allow for a wider variety of actions, including testing, and safeguards were implemented to ensure appropriate and proportionate use. Alternatives to penalties were also introduced, in the form of civil proceedings, allowing regulators a more varied toolset to drive behaviours, and important changes to the use of enforcement notices were included to provide better safeguards for operators. Revised penalty notice bands and process : Changes were made so that competent authorities can better tailor penalties to their specific sector and to the seriousness of the breach. Issuing penalties now gives regulatory authorities more freedom to levy financial penalties as deterrents, as authorities no longer have to be bound to first issuing an enforcement notice. To ensure that their use is proportionate, safeguards were also included in the form of a more comprehensive two-step process for levying penalties, allowing for more engagement with operators and providing further opportunities to make representations or take steps to rectify their breach of duty. Better information-sharing provisions : The amendments further allowed competent authorities to share information, where necessary and proportionate, with each other and with law enforcement authorities for regulatory and national security purposes, and for the purpose of criminal proceedings and investigations. Making sure the right organisations are in scope The 2020 Review found that designation thresholds for certain sectors needed to be changed to make sure that the right organisations were in the scope of NIS. Consequently, amendments were made toSchedule 2 thresholds in the energy, the digital infrastructure, and the Scottish health sector thresholds. Supply chain security The 2020 Post-Implementation Review stated that ‘effective supply chain risk management is essential to having appropriate and proportionate measures in place to protect network and information systems’ and that this risk has been flagged by both regulators and regulated entities alike. Since then, the government has continued work on developing options to better tackle the security risks arising from supply chains, keeping in mind that any measure must be targeted and proportionate so as to not create undue burdens, limit innovation, or create challenges for organisations in scope. DCMS issued a Call for Views in 2021 [footnote 5] which sought the public’s thoughts on how to improve cyber security in supply chains more broadly and in managed service providers more specifically. Following this, DCMS has been developing legislative solutions to reduce supply chain risk and is currently consulting on measures which propose to identify certain third party providers critical to NIS operators, as well as bringing a specific type of third party provider through which many major supply chain attacks had been conducted: Managed Service Providers. Incident reporting thresholds The last Review found that thresholds for relevant digital service providers and operators of essential services needed to be amended. Relevant digital service providers’ incident thresholds were previously set to an EU-market level (i.e. number of users impacted were based on the total of the EU’s population). Since the publication of the Review’s findings, the Government chose to bring thresholds to a more UK-appropriate level through secondary legislation (SI 2021/1461). Some Competent Authorities began work to review the incident thresholds they had set in guidance. DCMS also undertook policy work to investigate whether the definition of incident in the Regulations should be reviewed. This policy work is further explored in the "Areas of improvement" section of this Review. Review period Following the findings of the last Post Implementation Review, the legal requirements for its review timings were changed. After 2022, Post-Implementation Reviews will take place no later than every 5 years, instead of every 2 years. EU Exit A further SI (2021/1461) was put forward in 2021 in order to resolve certain EU-Exit deficiencies in Commission Implementing Regulation 2018/151, which governs additional rules to be taken into account in relation to the network and information systems security provisions and incident reporting thresholds for digital service providers. This statutory instrument did not make any policy changes; rather, it provided much needed amendments to the incident reporting thresholds for digital service providers in scope of the NIS Regulations, by removing defective EU reporting requirements and requiring relevant digital service to have regard to relevant statutory guidance issued by the Information Commissioner. National Cyber Strategy In December 2021 the government published the National Cyber Strategy. This strategy consists of five pillars. The Network and Information Systems Regulations contribute primarily to the 2nd pillar of the strategy, the resilience pillar. The resilience pillar of the strategy has three objectives: Improve the understanding of cyber risk to drive more effective action on cyber security and resilience. Prevent and resist cyber attacks more effectively by improving management of cyber risk within UK organisations, and providing greater protection to citizens. Strengthen resilience at national and organisational level to prepare for, respond to and recover from cyber attacks. The new strategy was published after the last Post-Implementation Review, but shows that the government still sees cyber resilience as a priority for the UK. These Regulations are working to address all 3 of these objectives and contribute towards the national objectives. They do this by ensuring critical organisations have good cyber hygiene and reduce their exposure to cyber risk and therefore reduce the likelihood of essential services being compromised.
DCMS followed the framework set out in PIR guidance to determine the level of evidence and resourcing appropriate to this post-implementation review. Similarly to the 2020 Post-Implementation Review the 2020 Post-Implementation Review, a medium resource approach was identified as being proportionate to the scale of the policy and the likely information we would be able to understand given the 3 years the policy has been active. DCMS opted to conduct surveys to gather bespoke evidence to assess the outcomes, costs and benefits both over the last 2 years since the last post-implementation review and any that occurred since the inception of the policy.
The analysis had to cover both research questions set out by Regulation 25 and the post-implementation review guidance detailed above. This document will build on the 2020 Post-Implementation Review and fully assess the implementation of the regulations. The analysis for this post-implementation review was carried out by in-house analysts at DCMS. All organisations, both operators of essential services and relevant digital service providers, that are in scope of the NIS Regulations were invited to take part in the surveys that informed our evaluation. To ensure that this review was not overburdensome on these organisations, they were informed that the survey and questions were all optional.
As the regulations had only been in force for 3 years at the time of the surveys, the surveys focussed on the experiences of organisations and how they have implemented the regulations. The views of the competent authorities were also collected to assess how the regulators have been implementing the regulations. The aim of the regulations is to reduce the cyber risk that critical firms pose to the UK economy. The review therefore focused on the cyber security improvements that firms have implemented because of the regulations.
The views of the NCSC were collected in order to assess if they believe the cyber risks posed to the economy from these firms have reduced. It is not possible to quantify a reduction in incidents as a counterfactual is impossible to prove, and also a reduction in incidents may be flawed. A reduction in incidents may mean that just less incidents are being detected. There was also no baselining of incidents before the regulations came into place, as there was no ability to enforce firms to report incidents to a central body that would be brought under the NIS Regulations.
To assess whether there has been an improvement in the outcomes due to the regulations, we will compare the results of these surveys to the previous post-implementation review to see if there has been any change.
In the last post-implementation review, DCMS committed to running a more qualitative stage of research. To ensure that our research was not overburdensome on the firms especially during the Covid-19 pandemic and given the short period since the last Review, DCMS opted to add more qualitative questions into the survey to reduce the amount of burden from different research projects. This approach allowed us to directly ask firms about the quantitative results they provided us with allowing for more detailed analysis and therefore more informed policy making.
DCMS conducted primary research with 4 key groups of stakeholders: operators of essential services; relevant digital service providers; the competent authorities; and NCSC. Each survey was different and asked questions that were relevant to each stakeholder. As the secure-online surveys worked well for the 2020 post-implementation review, DCMS decided that it would be the most appropriate tool to conduct the primary research.
DCMS scoped out the surveys with other government departments, competent authorities and NCSC. These stakeholders shared their thoughts to improve the data collected as part of this review. The reason operators of essential services and relevant digital service providers had separate surveys was to ensure we only asked questions that relate to the policy areas that were outlined in the original impact assessment.
Just as in the last Post-Implementation Review, a combination of quantitative and qualitative questions were included. As previously mentioned, it was identified in the last review that there was a benefit to carrying out more qualitative research. DCMS has achieved this by adding more qualitative questions included in this review, as opposed to running a standalone project. This was judged as being the less burdensome approach to completing the proposed research in the last Post-Implementation Review. Annex A and Annex B show the surveys that were sent to operators of essential services and relevant digital service providers, respectively. Additional questions were included in the surveys to capture the impact of the regulations on innovation, as DCMS is a trial department on including the impacts of regulations on innovation in impact assessments.
The surveys were distributed to the competent authorities who then shared them with the operator of essential services or relevant digital service providers that belong to their sector. All operators of essential services and relevant digital service providers had the opportunity to respond to the survey. Participation in the survey was voluntary and operators of essential services and relevant digital service providers were given six weeks to respond. The exception was the Department for Transport, due to a distribution list error the initial survey links were not distributed to the competent authority and the survey was opened at a later date with a shorter period of 10 days. The Department for Transport still received a response rate of 26% which was higher than the survey average. Contact information was provided in case they had any queries. After reviewing the data, the team noticed no differences in the quality of responses between those of the Department for Transport and other sectors. Their responses did not alter any trends or policy recommendations, and their respondents tended to agree with other operators of essential services. The differences that are observed between the answers, for example on cyber security spending, often differ between sectors and are not as a result of a shortened response period. Reminders were sent out via competent authorities during the six weeks in which the survey was live to encourage participation. Only the team directly working on the Post-Implementation Review could see the individual responses to the survey that were submitted.
The responses to surveys were lower than those that we received in the last Post-Implementation Review, this could be due to firms being busy due to the COVID-19 pandemic or less interest in completing the surveys as this is the second of such reviews. As the last Post-Implementation Review fell within a pre-election period DCMS could not send reminder emails to organisations to encourage them to complete the survey. During this Post-Implementation Review, DCMS sent reminder emails whilst the surveys were open to try and encourage participation, this did not improve the response rate from the last Review. To improve participation for the next Post-Implementation Review, DCMS recommends working more closely with individual competent authorities to target sectors or regions that have a lower response rate. The surveys captured the views of 68 operators of essential services, down from 117 in the last review. The 68 respondents make up 16%[footnote 6] of the total population of operators of essential services covered by the NIS Regulations. The surveys also received 14 responses from digital service providers covered by the NIS Regulations, down from 21 in the last review, representing 8%[footnote 7] of the population of relevant digital service providers. Whilst DCMS cannot guarantee that this sample is representative, the survey was open to all organisations that are regulated by the NIS Regulations to complete, so DCMS believes it is a robust basis to evaluate the NIS Regulations. Due to the low number of relevant digital service provider responses and the number of "Don’t know" responses on some questions, DCMS has been unable to update some assumptions from the previous review. Where this is the case, it will be made clear to the reader where the assumption originates.
Responses cover both medium and large organisations, as no small organisations were identified as being regulated under the NIS Regulations by competent authorities in this review. Replies were received across the different sectors and regions to give a good sample spanning the NIS Regulations, however it should be noted that there were very few medium operators of essential services. Operators of essential services and relevant digital service providers have the regulations applied differently, so it is worth noting that when comparing the results and costs of the regulations.
How effective are the regulations in meeting regulatory objectives and outcomes?
The policy objectives set out in the 2018 Impact Assessment of the NIS Regulations are "to prevent (where possible) and improve the levels of protection against network and information systems incidents" [footnote 9], as well as to "ensure that there is a culture of security across sectors which are vital for our economy and society".[footnote 10] Overall, although there is evidence indicating that the overarching policy objectives have largely been met, there nonetheless remain a number of opportunities to improve the NIS Regulations’ implementation. With regards to assessing the effectiveness of the NIS Regulations in preventing NIS incidents, as it is not possible to estimate a counterfactual number of NIS incidents that would occur had the Regulations not been in place, it is not possible to assess whether the NIS Regulations have reduced the number of NIS incidents. Overall, in 2019 a total number of thirteen NIS incidents were recorded. This number decreased to twelve incidents in 2020, indicating a slight decrease in the number of incidents recorded, however these may not be cyber-related. There have been issues and concerns surrounding what classifies as a NIS incident, as the current definition of a NIS incident only captures a small percentage of all incidents that threaten essential services. This suggests that the current NIS Regulations reporting requirements do not capture all important incidents.An issue which is evidenced by the stark contrast between the average number of incidents informally reported to the NCSC by organisations in NIS essential service sectors, versus the very low number reported officially by NIS firms to their responsible competent authorities, and the number of incidents reported in the press. Some estimates suggest that the number of incidents impacting these sectors could be significantly larger. The main concern with regards to this is whether despite not currently meeting the threshold for reporting a NIS incident set out in the Regulations and guidance, these incidents have the potential to disrupt essential services in the long run (e.g. ransomware attacks). If they were reportable, regulators could seek regulatory intervention and by suggesting improvement plans or intelligence sharing, improve the levels of protection of that essential service against future incidents, thus meeting the NIS Regulations’ objectives. Suggestions on how to capture important incidents are outlined in section 10 of this document. Although it is difficult to assess whether the Regulations have reduced incidents given the issues surrounding incident reporting under NIS, the findings of the Post Implementation Review do suggest that NIS has improved levels of protection by accelerating the development of a security culture across essential service sectors. How this culture of security has manifested itself is detailed in the outcomes section below. Regulatory outcomes The main projected benefits to the UK economy outlined in the 2018 Impact Assessment include the improved protection of the network and information systems that underpin the UK’s essential services; and reducing the likelihood and impact of security incidents affecting those networks and information systems and the corresponding impact on economic prosperity. It is also pointed out that businesses also may benefit from reducing the impact of breaches or attacks that are below the NIS Directive thresholds, as the improvements in cyber security and handling of incidents will not just apply to NIS incidents. Moreover, international cooperation and information sharing is also expected to improve advice and incident response for firms.[footnote 11] NIS has accelerated the improvement of essential services’ protection of their network and information systems. The surveys conducted as part of this review showed that 28% of operators of essential services reported having introduced new policies and processes since the inception of the Regulations, while 51% have updated or strengthened existing policies and processes, and 7% intend to update or strengthen these processes as a consequence of the NIS Regulations.[footnote 12] This highlights a direct correlation between regulated bodies’ improved cyber security behaviours and the NIS Regulations. Moreover, the proportion of organisations that reported having introduced or updated policies and processes is significantly higher relative to the findings of the 2021 Cyber Breaches Survey, which found that only 33% of businesses had a formal policy or policies covering cyber security risks.[footnote 13] In addition, 71% of operators of essential services respondents reported an increase in board support for cyber security.[footnote 14] This was corroborated by the competent authorities’ responses, who reported greater buy-in and understanding of cyber security from their regulated bodies at board level since the implementation of the NIS Regulations. 62% of operators of essential services also reported having updated general incident management processes, and 49% reported having improved their understanding of their organisations’ aggregate risks.[footnote 15] The incident response plans that NIS organisations have in place, as well as the improved speed at which organisations mitigate vulnerabilities when alerted by regulators, will improve resilience to incidents, and could potentially stop non-NIS incidents turning into NIS incidents. Additional NIS protection outcomes reported by operators of essential services included improving the way that they assess their supply chain. With regards to unexpected benefits of the NIS Regulations for relevant digital service providers, the respondents to the post-implementation review survey also indicated that they have improved their understanding of their organisations’ aggregate risks (31%), increased board support for cyber security (31%), and updating general incident management processes (23%) as a result of implementing the NIS Regulations. 46% of respondents reported that they have not experienced any unintended benefits as a result of the Regulations.[footnote 16] Overall, these findings confirm that both operators of essential services and relevant digital service providers are improving their security culture in response to duties imposed on them by the NIS Regulations, in the context of an increasing focus on cyber resilience across the economy. This is further supported by the competent authorities’ responses to the Post-Implementation Review, as it was noted by regulators that despite the financial difficulties in the context of COVID-19 pandemic, there had been an increase in spending among organisations in the form of hiring additional staff and increasing projects related to cyber security. Reports from competent authorities have also indicated that firms are updating their legacy systems, which are likely to provide better mitigations and risk management against threats, raising the level of resilience of the essential services. Competent authorities also noted fundamental improvements to risk and incident management processes as one of the key improvements in their sectors. This is in stark contrast to the 2021 Cyber Breaches Survey, which provides evidence of information risk management regimes being the area in which the least amount of companies had undertaken any action (30% of organisations, a decrease from the previous 39% captured in the 2017 Cyber Breaches Survey). This provides an indication that the NIS Regulations have provided an incentive for companies under its scope to focus on specific improvements such as these, in contrast to unregulated companies in the wider economy. This data indicates that the NIS Regulations have had a positive and beneficial impact on those organisations in scope, raising their levels of resilience compared to those organisations that are covered by the regulations. As mentioned above, there are indications that the current definition of a reportable NIS incident may mean that regulated organisations are not reporting important incidents . We therefore lack robust data to assess the number of cyber incidents on firms that provide essential services. However, we have data that confirms that there has been a marginal reduction in NIS reported incidents: from 13 in 2019, to 12 in 2020, however these aren’t necessarily cyber incidents. Due to a lack of primary and secondary data collection on the cost of a NIS incident to organisations, this review is not able to assess the economic impact of a possible incident reduction as a result of the Regulations. Similarly, we do not have data on whether businesses have benefitted from reduced breaches/attacks below thresholds, however it can be inferred from the numbers supplied to us by NCSC on informally reported incidents, which show a decrease in overall incidents between 2019 and 2020 in sectors classed as essential by NIS.[footnote 17] Finally, with regards to international cooperation and information sharing leading to improved advice and incident response for organisations, this review notes that notwithstanding the UK’s departure from the European Union on 31 January 2020, Part 4 of the Trade and Cooperation Agreement (TCA) contains provisions that would allow the UK to cooperate with the EU on cyber security. This includes taking part in some of the activities of NIS related action groups: the EU NIS Cooperation Group, the EU Agency for Cybersecurity (ENISA), as well as cooperation with the EU’s Computer Emergency Response Team Network (CERT-EU).[footnote 18] Security practices prior to the NIS Regulations Data from both Post-Implementation Reviews suggests over the past 4 years that the NIS Regulations are acting as an accelerator for improvements across sectors that fall under the NIS Regulations. Competent authorities, when queried, in the context of both the 2022 and 2020 Post-Implementation Reviews, reported that in their view without the regulations, improvements in security would continue, albeit at a much slower pace. DCMS intended to collect baselining data again from the organisations that are regulated by NIS. This was due to two main reasons: firstly, organisations may have been designated under the regulations since the last review and; secondly, to ensure that any difference in conclusion of this Post-Implementation Review was not down to a difference in sample. Similarly to the last review, the vast majority of operators of essential services and relevant digital service providers (85% and 93%), indicated having made improvements to the security of their network and information systems prior to the introduction of the Regulations.[footnote 19] Moreover, 88% of operators of essential services and 100% of relevant digital service providers had governance policies and/or processes to manage security risks to the network and information systems prior to the NIS Regulations.[footnote 20] As identified in both the 2018 NIS Regulations Impact Assessment and the 2020 review of the NIS Regulations, the firms covered by the NIS Regulations will be subject to other regulations and requirements. The sample collected from this review found that other regulations or standards mentioned as drivers for improvements in cyber security included: UK General Data Protection Regulations (GDPR) (86% of relevant digital service providers and 78% of operators of essential services)[footnote 21]; ISO27001 (28% of operators of essential services); Cyber Essentials and Cyber Essentials Plus (11% of operators of essential services); as well as other industry standards (33% of operators of essential services).[footnote 22] As shown in Figure 1, further non-regulatory drivers of change prior to the NIS Regulations included maintaining business continuity (93% relevant digital service providers, 94% operators of essential services), protecting critical systems (86% relevant digital service providers, 94% operators of essential services), avoiding financial loss (71% relevant digital service providers, 82% operators of essential services), and avoiding reputational damage (86% relevant digital service providers, 82% operators of essential services).[footnote 23] Figure 1: Reasons for implementing changes to the security of network and information systems prior to the NIS Regulations Just as in the last review, firms were already taking action to make improvements before the NIS Regulations came into force. Evidence from the competent authorities also notes that the NIS Regulations are likely to have improved the speed at which improvements were made to firms’ cyber security rather than generate new improvements. As the rationale for intervention in the original impact assessment made clear, the UK economy has a dependency on the firms that have been designated under the NIS Regulations and therefore there is an urgency for these firms to make changes. The threat that firms face in the cyber landscape is ever present, and making improvements at a slower pace than necessary is simply not an option for the UK economy and endangers the future security and prosperity of the country.
Key outcomes
Operators of essential services Both operators of essential services and competent authorities reported that they have seen an increase in resources dedicated to cyber security improvements. While competent authorities indicated that there have been improvements in cyber security in their sector since the introduction of the Regulations, most believe that the NIS Regulations acted as an accelerator for already-planned cyber security improvements. This is essential for good cyber security to reduce the vulnerabilities that exist in systems and therefore reduce the possibilities of attack. Operators of essential services reported an increase in prioritisation of cyber security at a senior level, reported by 69% of operators of essential services.[footnote 24] Moreover, 62% of the organisations who reported an increase in prioritisation also reported having updated/strengthened existing policies/processes as a result of the NIS Regulations. Overall, organisations also reported that they are investing more resources on an ongoing basis into their cyber security throughout the three categories of: physical security (83%); external costs (71%); and internal staff costs (75%).[footnote 25] This demonstrates the increase in priority of cyber security. The majority of operators of essential services reported that they have introduced new policies or processes to manage security risk, with 79% reporting having done so due to the NIS Regulations.[footnote 26] Of the organisations that have not improved or introduced processes or policies, all of them stated that they either have plans to introduce new policies or their policies already met the required standards. Whilst 88% of operators of essential services reported having processes for an incident response prior to the NIS Regulations, 12% had no such procedures.[footnote 27] Of the 12%, one third have introduced new procedures/processes and the remaining two thirds are intending to introduce new procedures or strengthen existing ones. This will help to maintain the provision of their essential services. Whilst the NIS Regulations have been in place for 3 years, some organisations may have only been designated for a shorter period, meaning they are at the early stages of implementing the requirements of the NIS Regulations. Operators of essential services indicated that since the implementation of the Regulations their organisations are more likely to voluntarily report an incident that is under the threshold to their competent authority and to the National Cyber Security Centre in 45% and 42% of the cases, respectively. Next to this, organisations also indicated no change in attitude towards their competent authority and towards the National Cyber Security Centre in 45% and 54% of the cases, respectively.[footnote 28] This indicates an improvement in attitudes towards voluntary reporting which can lead to greater oversight of cyber threats to the UK economy. There appear to be some challenges to organisations’ ability to implement the NIS Regulations, with 56% of operators of essential services indicating facing challenges implementing the Regulations.[footnote 29] Moreover, there is some concern about the ability of organisations to maintain their compliance with the regulations, with 42% of operators of essential services indicating that they do not have the skills and capacity to deliver their obligations under the NIS Regulations.[footnote 30] There is an indication of a link between facing challenges to implement the NIS Regulations among operator of essential services and having the necessary in-house skills and capacity, as 42% of the operator of essential services who felt that they faced challenges to their ability to implement the NIS regulations also reported that they didn’t feel they had the in-house skills and capacity to deliver their obligations under NIS.[footnote 31] This position matches the wider cyber skills issue in the UK economy where DCMS research highlights a national cyber skills shortage.[footnote 32] Nonetheless, 66% of operator of essential services also reported that they have retrained, up-skilled or hired new staff to manage security risks to their organisation’s network and information systems as a result of the NIS regulations, which can assist organisations in mitigating some of the challenges faced by the lack of in-house skills.[footnote 33] There also appear to be challenges with regard to organisations’ supplier risk management as 66% of operators of essential services indicated facing barriers that prevent them from conducting appropriate and proportionate risk management of their suppliers and their wider supply chain.[footnote 34] This issue appears to be more significant with regards to organisations’ wider supply chains, as only 9% of operators of essential services indicated having the resources to manage the risk from both their direct suppliers and their wider supply chain while 51% indicated having the resources to manage the cyber security risk from their direct suppliers but not their wider supply chain.[footnote 35] Moreover, 24% of operators of essential services reported not having the resources (19%) or being unsure on how to manage the risk from both direct suppliers and their wider supply chain (9%). Some of the barriers to supply chain risk management indicated by operator of essential services included: lack of cooperation with suppliers (44%); lack of staff resources (12%); perceiving the supply chain as too large or complicated to understand the underlying risks (14%); unspecified resource constraints (19%); lack of skills (7%); issues relating to contracts (5%); and legacy systems (2%).[footnote 36] These issues are in line with those highlighted in DCMS’s Call for Views on Supply Chain Cyber Security, which sought insights from industry to inform the government’s understanding of supply chain cyber security.[footnote 37] Digital Service Providers Relevant digital service providers did not see as much senior prioritisation as a result of the regulations as the operator of essential services, with only 23% of organisations in the survey reporting this.[footnote 38] This is a similar proportion to the last review in which 29% of digital service providers reported this benefit.[footnote 39] 80% of organisations that reported not seeing a change in prioritisation stated that cyber security was already a priority for other reasons.[footnote 40] In line with this, 36% of relevant digital service providers said that they had updated/strengthened existing policies/processes as a result of the NIS Regulations, 7% said that they intended to do so, 43% reported making no changes as a result of already meeting the required standards, and only 7% reported having introduced new policies/processes.[footnote 41] Digital service providers having a lower outcomes than the operators of essential services could be due to different reasons, but the two most likely reasons could be due to: 1) a higher starting point prior to the Regulations being brought in with regards to cyber security; 2) it could be due to the difference in the way the Regulations are applied to operators of essential services and digital service providers, as mentioned previously in this document. 100% of the survey respondents stated that they already had incident response policies in place prior to the NIS Regulations for recovery from a security incident relating to the network and information systems used for the provision of their services.[footnote 42] However, 46% have strengthened existing processes/procedures since the NIS Regulations, meaning that an incident is likely to have a reduced impact on the organisation and therefore economy. While all of the respondents who indicated having strengthened existing processes/procedures reported these processes reported being influenced or affected by the UK General Data Protection Regulation and Data Protection Act 2018, the majority of organisations indicated having taken actions in several areas with regards to incident response as a result of the NIS Regulations. 46% of the respondents indicated undertaking up-to-date incident response plans, 38% indicated taking action in the form of risk assessment plans, and in 31% of the cases no action was taken.[footnote 43] The majority of relevant digital service providers (62%) indicated not facing any barriers that prevent their organisation from conducting effective risk management of their suppliers, including their wider supply chain.[footnote 44] Next to this, all relevant digital service providers who responded to the survey reported having the resources to manage cyber security risks of their network and information systems arising from their direct suppliers.[footnote 45] Moreover, in 54% of the cases respondents also indicated having the resources to manage the risk from their wider supply chain. Of the 46% who stated they didn’t feel able to manage the risk of their wider supply chain, 60% reported that it was a lack of will amongst suppliers, 40% reported a lack of finances or funding, and a further 40% reported a lack of staff resource. Overall, while it appears that some organisations were already taking action to improve cybersecurity, there is an indication of a positive effect of the Regulations on governance policies and/or processes to manage security risk, which will help to reduce the risk posed to the economy by these organisations. Moreover, relevant digital service providers also indicated having invested, or planning to invest, in internal staff (54%), physical security of IT (46%), and external costs (31%) related to the security of their network and information systems for providing their services.[footnote 46] These investments will therefore lead to further improving organisations’ cybersecurity. As with operators of essential services, these issues are also in line with those highlighted in DCMS’s Call for Views on Supply Chain Cyber Security.[footnote 47] Among relevant digital service providers, the large majority of respondents indicated that their attitudes have not changed towards voluntarily reporting of an incident that is under the reporting threshold both to their competent authority and to the NCSC (77% and 69% of the cases, respectively). The proportion of relevant digital service providers who reported being more likely to report this type of incident towards their competent authority and to the NCSC was 8% and 15%, respectively.[footnote 48] A policy measure in the recent proposals on cyber measures, published by DCMS, looks to bring the regime of some digital service providers in-line with the regime for operators of essential services. This will mean that if the outcomes being lower for digital service providers is due to the difference in regulatory regime, the outcomes for digital service providers will improve, if the measure is taken forward. Supporting organisations to implement the Regulations In addition to looking at the key measurable outcomes to date, the Review assessed implementation, including looking at the effectiveness of key tools for supporting organisations in implementing the Regulations. The review looked at the effectiveness of the Cyber Assessment Framework (CAF). Overall, 84% of operators of essential services reported using the CAF, an increase from the 71% of respondents who reported using this tool in the 2020 NIS Post-Implementation Review.[footnote 49] The majority of respondents indicated finding this moderately useful (48%), very useful (39%), or extremely useful (7%) for managing risk to the security of your organisation’s Network and Information Systems.[footnote 50] When asked how the CAF could be improved, 23% of operator of essential services said that it should be less specific and more nuanced or holistic, 15% said it should align with other frameworks[footnote 51], 8% mentioned that it should be clearer/improve the benchmarking so progress can be tracked and 13% also asked for clearer wording. Other respondents mentioned it being more sector specific and making the requirements more specific.[footnote 52] The review also looked at the extent to which applying the NCSC CAF principles and guidance had a positive impact on several areas relating to the provision of essential services in organisations. This is summarised in Figure 2 below. The majority of organisations reported somewhat positive or extremely positive impacts across all areas, which provides an indication of improvements in different areas relating to cybersecurity as a result of applying the CAF principles and guidance. Figure 2: Impact of applying the NCSC CAF principles and guidance “To what extent has applying the NCSC CAF principles and guidance impacted postively on the following with regard to the provision of your essential services in your organisation?” Furthermore, guidance and support from competent authorities on implementing and complying with the Regulations may have helped organisations in improving the security of their network and information systems. Among the respondents, most organisations reported knowing where to find guidance on NIS implementation and compliance (97% of operators of essential services and 100% of relevant digital service providers).[footnote 53] This represents a slight increase compared to the 2020 NIS Post-Implementation Review, in which 96% of operators of essential services and 94% of relevant digital service providers knew where to find the guidance.[footnote 54] Moreover, similar to the 2020 NIS Post-Implementation Review, 93% of relevant digital service providers and 95% of operators of essential services found the guidance easy to access.[footnote 55] In implementing the NIS Regulations effectively, the majority of organisations also reported having received adequate guidance and support from their competent authority (93% of relevant digital service providers and 68% of operators of essential services).[footnote 56] Both groups have seen improvements on the support they have received from their competent authorities compared to the last post-implementation review, where 60% of operators of essential services and 71% of relevant digital service providers reported they had adequate support and guidance from their competent authorities. Within operator of essential services, respondents pointed to the usefulness of additional support in the form of industry events (26%), information exchanges with other operator of essential services (35%), and the improvement of the educational materials available online (32%), in further assisting them with the implementation of the NIS Regulations.[footnote 57] Relevant digital service providers, on the other hand, mostly pointed to the benefits of providing updates to businesses (37%) and providing more information on the ICO or NCSC website (33%).[footnote 58] Enforcement The Review also aimed to assess the role of the enforcement element of the Regulations in driving improvements amongst organisations. Overall, 100% of relevant digital service providers and 96% of operators of essential services that responded to the survey reported being aware that there is an enforcement regime associated with the NIS Regulations.[footnote 59] Next to this, the majority of organisations indicated that the enforcement regime had not led them to implement any improvements to the resilience of their services (49% of operators of essential services and 69% of relevant digital service providers).[footnote 60] However, it is important to note that given that there have been very few enforcement activities taking place, at this stage it is not possible to robustly assess whether the regime can lead to improvements in organisations. The degree to which enforcement activities have taken place is further detailed in Section 8 of this Review. As such, it would be useful to assess the impact of this regime on improvements to organisations in future post-implementation reviews. Despite not reporting the enforcement regime to be a key driver of improvements, the current enforcement regime was found to be proportionate to the risk of disruption to relevant services in the majority of organisations (72% of operators of essential services and 92% of relevant digital service providers).[footnote 61] Among the operator of essential services that disagreed that the enforcement regime was proportionate to this risk, 22% stated that they thought it was too high/severe, 6% felt that it was too low, 6% felt it damaged the relationship between competent authorities and operator of essential services, and 6% felt that it took too long before a penalty was handed down.[footnote 62] 44% gave other reasons including there is no clear link between the fine levied and the actions that operator of essential services took prior to the incident and the fact that fines result in double jeopardy as there is already a cost relating to a cyber breach. The only relevant digital service providers who indicated that the enforcement regime was not proportionate to the risk of disruption reported feeling that the Regulations were incorrectly applied to DSP organisations in general. Summary: Outcomes observed to date The evidence suggests that the regulations are working to improve the cyber resilience of both relevant digital service providers and operators of essential services. There has been an increase in the prioritisation of cyber security at senior level, as well as indications that the majority of operators have either introduced new policies or improved existing ones where such processes were already in place, improved their incident response management, and a wider awareness of guidance and available support from the competent authorities. Reports of more voluntary reporting is also a positive development, indicating a move towards a more mature cyber sector, willing to take steps and address the threats to essential services. Some of the tools created for the Regulations, such as the NCSC’s Cyber Assessment Framework, have ensured that improvements are made and that firms appear to be speeding up their cyber improvements. There is still more that can be done. There is a lot of uncertainty around the incident response, and which incidents need to be reported; reports received for this Post-Implementation Review, however, indicate that both operators of essential services and relevant digital service providers are aware of the guidance and have found it useful. This indicates that further attention must be given to incident reporting from a legislative perspective, which has been taken forward by DCMS’ consultation on the measures to improve the UK’s cyber resilience, where it considers amendments to the incident reporting framework. Capacity constraints and lack of access to the appropriate skills within the sectors still remains an issue with operators of essential service and digital service providers. In addition to this, one of the most prevalent challenges illustrated from the study is the ability of operators to secure their wider supply chains, with 9% of operators of essential services indicated having the right resources to do so; this comes in contrast with the 54% of digital service providers reporting being able to address this challenge. More could be done in this space, and DCMS has considered measures that would tackle this inability in the 19 January consultation. Overall, the surveys provide a good basis to indicate that the regulations are having a positive impact and that they are effective in driving behaviour. However, the increased investment and lack of cyber incident reports are not necessarily indicative of the wider policy objective of providing better security for essential services and leading to increased cyber resilience, as it is impossible to say whether the regulations have reduced the amount of incidents that these services would have faced. Better key performance indicators need to be developed to assess this.
Costs
The Impact Assessment (IA) identified the costs of implementing and running the Regulations as split between those falling on businesses and additional costs to government from enforcement activity: Costs incurred by businesses include (a) familiarisation costs, (b) additional security spending, (c) costs of incident reporting, (d) competent authority costs, including compliance costs, and (e) responding to enforcement activities. Costs to the government include (a) setting up a Computer Security Incident Response Team (CSIRT), Single Point of Contact (SPOC), and a cooperation group, and (b) delivering enforcement activities, and international cooperation. As part of the post implementation review, DCMS has reviewed whether the above costs were incurred, and whether the costs estimated in the impact assessment were accurate. Table 2 presents the summary of total costs for the 10-year appraisal period. Table 2: Summary of costs (2016 prices) Type of cost/benefit Where possible, we have updated cost data assumptions that were made in the impact assessment. As such: Consistent with the Impact Assessment, the median wage has been used to calculate costs as it is believed to be the most representative wage (less skewed by outliers). Overhead charges of 30% have been added to the wages, in accordance with the International Standard Cost Model Manual.[footnote 63] The compound annual growth rate in median wages for different occupations has been estimated using 2013 through 2021 ASHE wage data. This has been used to estimate future wage growth when modelling future costs from 2022 onwards. This differs from the NIS Post-Implementation Review 2020, in which simple (uncompounded) annual growth rates were calculated using ASHE wage data from 2013 to 2018. This approach was taken as it ensures that any volatility is accounted for in calculations. For internal staff security costs, which are a component of additional security costs, cost estimates were taken from data provided from survey responses, which are in 2021 prices. To deflate the values into 2016 prices, DCMS used the data available in the Annual Survey of Hours and Earnings (ASHE). As cyber security does not have a specific SIC code, SIC code 62 has been used as a proxy. SIC code 62 is the computer programming, consultancy and related activities industry code; these cost figures were adjusted by using the growth rates of the median wage to estimate the staff security costs in 2018, 2019, and 2020 prices. The compounded annual growth rate using median wages between 2013 and 2021 taken from the ASHE for SIC Code 62 has been assumed to be constant for the future years in the appraisal period. For Competent Authority costs, it has been assumed that wage inflation is the same as the GDP deflators, as Competent Authorities are government departments, agencies, or public sector bodies. Since the Regulations came into force in May 2018, we consider 2018 to be the present value base year to reflect. This is in line with the original 2018 impact assessment but not the 2020 Post-Implementation Review. The current analysts believe that a less appropriate present-value base year was selected for the last post-implementation review. The previous present-value year was 2017 in the 2020 post-implementation review. Total costs have been deflated to 2016 prices and a discount rate of 3.5% applied to future costs to account for the time preference of money. Table 3: Wage inflation However, there have been some instances where it has not been possible to update the specific cost assumptions made in the Impact Assessment. Where this is the case, this has been indicated. It is worth noting that many organisations in scope of the Regulations are public sector organisations, largely in the health sector. In view of this, much of the following refers to the impact and costs on ‘organisations’ - encompassing both private and public sector - rather than businesses. In calculating the direct cost to business, based on consultation with Competent Authorities, we have estimated that approximately 42% of organisations currently in scope of the Regulations are in the public sector. It should also be noted that while costs that public organisations have incurred have been evaluated in the same way as costs to business throughout, these costs are ultimately borne by the government. In the Impact Assessment, DCMS estimated that the following costs would be incurred by organisations in scope of the Regulations: Costs of familiarisation with the NIS Regulations and guidance documents (£660.19 per organisation);[footnote 64] Additional compliance costs of reporting requirements to Competent Authorities, e.g. completing the CAF, or other type of assessment (£80 for a small organisation, £275 for a medium sized organisation, and £549 for a large organisation);[footnote 65] Costs of incident reporting due to the NIS Regulations (£54 per incident).[footnote 66] As shown in Figure 3, which presents the proportion of organisations in scope of the regulations who reported incurring costs in each of these areas, the majority of operators of essential services reported incurring additional security costs, followed by familiarisation costs. The majority of relevant digital service providers reported incurring familiarisation costs, and half of the respondents reported incurring in additional compliance costs. Overall, fewer organisations reported facing other administrative costs. Figure 3: Proportion of organisations in scope of the regulations who reported incurring costs associated with implementing the NIS Regulations. “In the original NIS Impact Assessment, DCMS estimated expected costs to organisations associated with implementing the NIS Regulations. Which of the following costs, if any, has your organisation incurred as a result of he NIS Regulations.” Base 65 OESs and 10 RDSPs To understand the costs incurred in more detail, the survey also asked organisations whether the costs estimated in the Impact Assessment were accurate. Overall, only 6% of operators of essential services and 17% of relevant digital service providers indicated that these estimates were accurate for their organisation.[footnote 67] 33% of operators of essential services and 17% of relevant digital service providers did not agree that these costs were accurate.[footnote 68] The majority of organisations (61% of operators of essential services and 67% of relevant digital service providers) were unsure, responding that they did not know, even though organisations otherwise reported incurring these types of costs (Figure 1).[footnote 69] This may be because even though organisations can identify having incurred these costs, they might not be able to quantify these separately from their overall spending on security. It should be noted that this question did not allow organisations to indicate the accuracy or inaccuracy of some of the costs, and it is therefore not possible to know whether the organisations that indicated that these estimates were inaccurate referred to some or all of the costs presented in the Impact Assessment. This is something that should be changed for the next review. Those organisations that indicated not agreeing that the estimated costs were accurate were further asked to clarify, for each of the estimated costs in the Impact Assessment, the number of hours required for work in each area, who was involved, and how much this cost. Overall, only 17 operators of essential services and two relevant digital service providers provided some of this information. With the exception of costs of incident reporting, the majority of these organisations’ responses suggested that the estimates were too low. There was also a wide range of costs reported, indicating that there are many factors that affect additional costs, some of which may be specific to the organisation’s needs. The Impact Assessment estimated that the cost of familiarisation with the NIS Regulations and guidance documents would be £660.19 per organisation, using eighteen hours of legal and senior management time.[footnote 70] Organisations that responded to the survey reported an annual weighted average cost of familiarisation of £14,315 in 2016 prices, between those that agreed with the Impact Assessment estimates and those that provided other values.[footnote 71] Among these, organisations that responded that the estimated costs in the impact assessment were not accurate for their organisation and that provided further details on the costs of familiarisation incurred. This group of respondents that did not agree with the Impact Assessment estimates reported average familiarisation costs of £62,629 (2016 prices), with costs reported ranging from £1,200 to £500,000.[footnote 72] Most organisations reporting these costs pointed to managers and legal professionals being involved in the process of familiarisation with the NIS Regulations, although a few respondents also indicated that IT advisors, engineers, consultants, and cyber advisors were also involved. The respondent that gave an estimate of £500,000 did so sighting that several groups had to be familiarised with the NIS Regulations, including: "Operations, OT support, IT support, Management, Law, Cyber advisors, global support organisation". The response was included, despite being an outlier. As initial evidence suggests that familiarisation costs exceeded those estimated in the Impact Assessment. It has been assumed that those organisations that did not agree that the estimated costs in the Impact Assessment were accurate incurred familiarisation costs equal to the weighted average reported (£14,315). It has also been assumed that the average number of hours taken for familiarisation costs compliance by the remaining organisations is the same as those estimated in the impact assessment. That is, the remaining organisations are assumed to require eighteen hours of legal and senior management time. ONS ASHE data was used to obtain hourly wages in 2018. It has been assumed that all organisations in scope faced familiarisation costs, despite only 71% of operators of essential services and 90% of relevant digital service providers that responded to this question in the survey having reported facing this cost. This conservative approach is consistent with the NIS Post-Implementation Review 2020 and has been taken as it is likely that all organisations faced some familiarisation costs, even if this was assumed to be business as usual. Moreover, relative to the NIS Post-Implementation Review 2020, there was an overall increase in the proportion of organisations reporting having incurred familiarisation costs by 13% in operators of essential services and 23% in relevant digital service providers.[footnote 73] This could indicate that as the NIS Regulations have been in place for a longer period of time, it is likely that organisations are better able to discern the amount spent on these costs from other related security spending. This leads to a total estimate of familiarisation costs of £740,377.37 in 2016 prices. Table 4: Familiarisation costs, ONS ASHE 2018 revised figures Median hourly wage source: ONS - Annual Survey of Hours and Earnings, 2018 revised estimates. The estimate for familiarisation costs is higher relative to the estimate from the Impact Assessment due to both the increase in the wage of IT directors from £34.30 per hour (provisional ASHE 2016 estimates) to £37.28 per hour (revised ASHE 2018 estimates), and the increase in the wage of legal professionals from £25.17 per hour (provisional ASHE 2016 estimates) to £37.28 per hour (revised ASHE 2018 estimates). In addition to this, the estimate of familiarisation costs is higher due to the analysis taking into account self-reported costs by organisations. We consider that including self-reported costs is an improvement in methodology as it provides a more accurate estimate given the evidence suggesting that familiarisation costs exceeded those estimated in the Impact Assessment. Moreover, we believe that this is an improvement relative to previous methodologies used in the Impact Assessment and 2020 Post-Implementation Review as feedback received from the RPC called for a more robust assessment of the cost of familiarisation to organisations in scope of the Regulations. The respondents that stated their costs were higher, often cited the need for all their technical staff to understand the Regulations and also they cited more senior positions that will have higher salaries than our estimates, such as the infosec manager. DCMS has noted this increase in familiarisation cost and will try to streamline any guidance that we send out to ensure that the Regulations are less burdensome to these organisations. The NIS Regulations require organisations that have experienced an incident meeting the threshold to report this to their Competent Authority within 72 hours of discovery by completing an incident notification form. The specific information required to report varies by Competent Authority, however, most of this information would normally be gathered as part of a business as usual response to a security incident. The Impact Assessment estimated that there would be a total annual cost of incident reporting of £2,110. This was calculated by estimating a cost per incident of £54, using one hour and fifteen minutes of legal, IT, and corporate time, and then scaling this by the estimated number of incidents likely to be in scope of the Regulations each year (39) on the basis of data provided by the NCSC. The Impact Assessment also estimated, using data from the 2017 Cyber Security Breaches Survey, a total cost of £71,921 from a maximum of 1348 incidents. The number of reported NIS level incidents has continued to be lower than expected since the Regulations came into force, which implies a lower annual cost than estimated. Among those organisations that responded that the estimated costs in the impact assessment were not accurate for their organisation and that provided further details on the costs of incident reporting incurred (8 operator of essential services and 1 RDSP), 67% reported zero hours spent annually in incident reporting due to the NIS Regulations, with no associated costs.[footnote 74] This could be explained in the context of the low number of reported NIS level incidents in organisations. Overall, organisations that responded to the survey reported an annual weighted average cost of incident reporting of £1,658 in 2016 prices. This figure was mainly driven by one organisation who reported having faced costs of incident reporting of £100,000, it should be noted that this respondent looked to have included costs of the incident response team and not just of reporting. It should be noted that as costs and time spent on incident reporting were provided on an annual basis it is not possible to estimate the cost per incident. Due to the small number of responses, the majority of which indicated not having incurred any costs of incident reporting, it is not possible to assess whether the estimated cost of reporting each incident (£54), and the estimated time spent on incident notification was accurate or not. Hence, the estimated time taken to report an incident has remained unchanged: 45 minutes of an IT professional’s time to collect and present the information; 45 minutes for legal clearance; and 20 minutes for managers or senior directors to approve the notice. The Annual Survey of Hours and Earnings has been used to update the median average hourly earnings in 2018 for the three occupations above. This is summarised in Table 5 below. Updating the incident reporting costs using revised and provisional wage rates (ASHE 2018-2021) yields a cost of £53.07 per incident in 2018 prices, which has been inflated annually from 2022 using the wage inflation rates in Table 2. Table 5: Incident reporting wage costs, ONS ASHE 2018 revised figures Median hourly wage source: ONS - Annual Survey of Hours and Earnings, 2018 revised estimates. The best (and low) estimate of the annual number of NIS incidents has been updated from Year 3 onwards of the appraisal period to a total of 13 incidents using the number of incidents recorded by NCSC in 2019. The number of incidents and estimated incident reporting costs for Year 1 and Year 2 are taken from the NIS Post-Implementation Review 2020 to reflect the estimation closer to this time period. A flat rate of incidents is assumed for future years. The best (and low) estimate of the total cost of incident reporting was estimated to be £9,857 over the 10 year appraisal period, in 2016 prices. The estimate for incident reporting costs is lower relative to the estimate from the Impact Assessment due to the updated number of incidents decreasing from 39 to 13 estimated incidents annually. However, if incident reporting thresholds are adjusted in the future, this may affect the number of incidents meeting the reporting threshold. To account for uncertainty in the future number of incidents, and in line with HMT Green Book guidance, sensitivity analysis has been conducted by following the above estimations for the best (and low) annual number of NIS incidents but considering a scenario in which the number of incidents are doubled (26 total incidents) from Year 3 onwards. This yields a high estimate of the total cost of incident reported of £21,996 over the 10 year appraisal period, in 2016 prices. The impact assessment also estimated additional compliance costs of reporting requirements to Competent Authorities - such as completing the Cyber Assessment Framework or another type of assessment - as £80 for a small organisation, £275 for a medium sized organisation, and £549 for a large organisation.[footnote 75] These costs were calculated based on estimates of legal and senior management time used (three and a half hours for small organisations, twelve hours for medium organisations, and twenty-four hours for large organisations).[footnote 76] Organisations that responded to the survey reported an annual additional compliance costs weighted average of £36,720, in 2016 prices.[footnote 77] Among these, organisations that responded that the estimated costs in the impact assessment were not accurate for their organisation and that provided further details on additional compliance costs incurred reported average additional compliance costs of £151,812 in 2016 prices, with costs reported ranging from £450 to £1,000,000.[footnote 78] Most organisations reporting these costs indicated legal teams and management being involved in additional compliance activities, although a handful of organisations also pointed to engineers, IT staff, consultants, and information security managers being involved in these activities. The respondent that provided the response of £1,000,000 was included as they indicated it takes over 2,000 hours of technical staff and middle management, which could generate a very high cost, despite being an outlier. As initial evidence suggests that additional compliance costs exceeded those estimated in the Impact Assessment, it has been assumed that those organisations that did not agree that the estimated costs in the impact assessment were accurate incurred additional compliance costs equal to the weighted average reported (£36,720). It has also been assumed that the average number of hours taken for additional compliance by the remaining organisations is the same as those estimated to be faced only by large operators of essential services in the impact assessment. That is, the remaining organisations are assumed to require 10 hours of legal professional’s time and 14 hours of senior management time. The reason that some organisations stated it was higher is that they use multiple technical staff to complete their compliance. The original estimates assumed only directors would be involved from a technical standpoint. Organisations reported that they would use lead systems engineers, IT security analysts OPS engineers and OT security engineers. ONS ASHE data was used for hourly wages between 2018 and 2021, with wage growth rates in Table 2 used to estimate wage inflation rates from 2022 onwards. Table 6: Additional compliance administrative costs, ONS ASHE 2018 revised figures Median hourly wage source: ONS - Annual Survey of Hours and Earnings, 2018 revised estimates. Results of the survey show that 49% of operators of essential services and 50% of relevant digital service providers reported facing additional compliance costs as a result of the introduction of the Regulations (Figure 1).[footnote 79] Hence, our best estimate has assumed that these proportions of operators of essential services and relevant digital service providers have faced additional compliance costs in the year 2020/2021. We assume the same proportions for all future years of the appraisal period as, consistent with the 2020 Post-Implementation Review of the Regulations, the results of the survey continue to show that not all operators of essential services face these costs.[footnote 80] However, in Year 1 and Year 2 of the appraisal period it has been assumed that the additional compliance costs faced by organisations is equal to those estimated in the 2020 Post-Implementation Review. This leads to a best cost estimate of additional compliance costs of reporting of £11,586,339 over the 10 year appraisal period, in 2016 prices. High and low estimates of additional compliance costs of reporting were also calculated by varying the proportion of organisations that incur in these costs from 2022 onwards. The high estimate of additional compliance costs of reporting of £13,267,880 (2016 prices) has assumed that all organisations in scope of the Regulations will incur these costs from 2022 onwards. This accounts for the possibility of higher compliance rates in the future as well as alternatives to the CAF framework used by Competent Authorities that lead to additional reporting requirements. On the other hand, the low estimate of £10,310,562 (2016 prices) has assumed that no relevant digital service providers incur these costs from 2022 onwards. This reflects the fact that only operators of essential services are required to provide evidence in this way to competent authorities. The estimate for additional compliance costs is higher relative to the estimate from the Impact Assessment as a result of both introducing the assumption that the administrative compliance costs that firms incur is equal to the estimated costs for large operators of essential services, as well as having taken into account self-reported compliance costs. We believe that this is an improvement in methodology as it provides a more accurate estimate relative to the evidence suggesting that additional compliance costs exceeded those estimated in the Impact Assessment. The Impact Assessment also attempted to estimate the costs of additional security spending that would be incurred by organisations due to the introduction of the Regulations, based on responses to the consultation. As the Impact Assessment stated, any additional security spending by individual organisations will vary by the existing measures and technical controls they have in place, and the extent to which they judge additional spending to be appropriate.[footnote 81] Nonetheless, the Impact Assessment provided high and low estimates of cyber security spending based on the consultation responses, with additional spending envisaged on measures such as increasing staffing, investing in IT software, additional risk assessments and audits, staff training and testing and monitoring systems.[footnote 82] The additional security spending estimated in the Impact Assessment is summarised in Table 6 below. Table 7: IA estimated additional cyber security spending estimates by size and type of organisation[footnote 83] In the surveys conducted, operators of essential services and relevant digital service providers were asked in which areas they have invested in, or plan to invest in, relating to the security of their network and information systems for providing their services. Selected choices included spending on internal staff costs, physical security of IT and other systems related to the delivery of their service(s), and external costs. The findings are summarised in Figure 4 below. Figure 4: Proportion of organisations investing, or planning to invest, in areas relating the security of their network and information systems. In the surveys conducted, operators of essential services and relevant digital service providers were also asked to report the amount invested in additional security measures as a result of the introduction of the NIS Regulations both in the last and next 12 months. In order to help respondents answer the question more easily and maximise the response rate, the question divided spending into three categories: internal staff costs; physical security; and external costs. Response options were also banded, due to the commercially sensitive nature of the information, and the probability that organisations were unlikely to know the exact figure. These findings are summarised in Figures 5-8. The large majority of relevant digital service providers who responded to the survey indicated not knowing how much their organisation had invested in additional security measures in all areas relating to their network and information systems in the last 12 months (Figure 3). Given this, and the small number of responses, it is not possible to assess whether the previously estimated additional security costs in the impact assessment were accurate for relevant digital service providers. Figure 5: Relevant digital service providers - Investment in additional security measures as a result of the NIS Regulations in the last 12 months “RDSPs: as a result of the NIS regulations, how much have you invested in additional security measures in the following areas relating to your network and information systems for your digital service(s) in the last 12 months?” As previous evidence gathered in the 2020 NIS Post-Implementation Review suggested that relevant digital service providers spent more than the high estimated additional costs per business of £50,000, the additional security costs estimated for the appraisal period remain unchanged relative to those presented in the 2020 NIS Post-Implementation Review.[footnote 84] In line with this, the assumption that physical costs are one off costs, while internal staff costs and external costs are ongoing annual costs is maintained as there is insufficient evidence of future areas of investment for relevant digital service providers (Figure 6). The total cost of security investments for relevant digital service providers over the 10 year appraisal period is estimated to be £137,409,226, in 2016 prices, with high and low estimates of £139,564,633 and £135,292,926, respectively. Figure 6: Relevant digital service providers - Investment in additional security measures as a result of the NIS Regulations in the next 12 months “RDSPs: as a result of the NIS regulations, how much do you plan to invest in additional security measures in the following areas relating to your network and information systems for your digital service(s) in the next 12 months?” The findings from the survey questions on the amounts invested in additional security measures provided useful and important information on the extent and areas of investment among operator of essential services, and showed that between 17% and 32% of large operator of essential services who responded to the survey spent more that the high estimated additional costs per business of £200,000. This was calculated by taking the lower bound of each of the cost brackets that organisations selected for each of the three categories and aggregating to obtain additional cost figures. Estimates of additional security costs for operators of essential services in Year 1 and Year 2 of the appraisal period were taken from the 2020 NIS Post-Implementation Review to reflect the estimates calculated based on survey responses from that time period. Next to this, an estimate of additional security costs for operators of essential services has been calculated in Year 3 and Year 4 using the data provided in the survey for investments in additional security measures in the past 12 months. Similarly, operators of essential services’ additional security costs in Year 5 and onwards were calculated using survey information on investments in the next 12 months. Low, middle and high estimates were calculated by taking the low, middle values in each of the cost brackets (Figures 7-8) and applied to the proportion of operators of essential services that reported invested, or planning to invest, in each of the three cost areas (Figure 4). It has been assumed that the distribution of investments for respondents who responded with ‘don’t know’ is the same as the distribution of investment across organisations that did indicate the amounts invested. Cost distributions were calculated and applied separately for each of the areas related to the security of network and information systems before being aggregated to obtain a total cost estimate. It has further been assumed that internal staff costs, physical security costs, and external costs are on-going costs among operators of essential services. This follows evidence obtained from the survey on operators of essential services that indicated that these organisations were planning to invest in all three areas in the next 12 months (Figure 8). The total cost of security investments for operator of essential services over the 10 year appraisal period has been estimated at £857,097,441 in 2016 prices, with high and low estimates of £914,851,940 and £799,346,893, respectively. These estimates are higher for two reasons: the first is that there was an error in the previous calculations where a cost was converted into a base of millions mid-calculation, causing a much lower estimate being published; the second is that DCMS has reviewed its assumptions and based on the responses received, physical costs are now an ongoing cost and not an implementation cost. Figure 7: Operators of essential services - Investment in additional security measures as a result of the NIS Regulations in the last 12 months “OESs: as a result of the NIS regulations, how much have you invested in additional security measures in the following areas relating to your network and information systems for providing your essential service(s) in the last 12 months?” Figure 8: Operators of essential services - Investment in additional security measures as a result of the NIS Regulations in the next 12 months “OESs: as a result of the NIS regulations, how much do you plan to invest in additional security measures in the following areas relating to your network and information systems for providing your essential service(s) in the next 12 months?” Overall, aggregating the total cost of security investments for operator of essential services and relevant digital service providers yields a total cost of security investments for all organisations over the 10 year appraisal period of £951,663,313 in 2016 prices, with high and low estimates of £1,014,608,076 and £888,761,885, respectively. Again, note the error and the change in assumption in driving these estimates up. Whilst DCMS cannot guarantee that this spending on cyber security spending is optimal, the regulations are outcome based in nature and some of this spending will be conducted to improve their cyber security. This is facilitated through spending to improve actions against their Cyber Assessment Framework. The Cyber Assessment Framework looks at meaningful cyber security improvements, and if this spending is to improve against the Cyber Assessment Framework, there is a low probability that this spending is simply a result of complying with regulations rather than improving security outcomes. The Impact Assessment also identifies additional administrative costs resulting from enforcement activity as a possible cost to businesses. Given that few information notices have been issued by Competent Authorities it is not possible to robustly quantify or monetise the burden to organisations from enforcement activities. Moreover, there have been no appeals or penalty notices received. This is in line with the 2020 NIS Post-Implementation Review. However, this may change if in the future there is an increase in enforcement activity in which case this question will be best answered in subsequent reviews. In addition to testing the assumptions and cost estimates specified in the Impact Assessment, the review team also tested whether there were any unexpected costs incurred by organisations that were not addressed in the impact assessment. The majority of operators of essential services and relevant digital service providers reported not having incurred any unexpected costs that were not covered in the original NIS Impact Assessment (83% of operators of essential services and 83% of relevant digital service providers).[footnote 85] Unexpected costs which organisations incurred included costs related to independent external auditors and consultants, replacing downstream legacy infrastructure, as well as time spent assessing compliance levels, including extra time spent ‘unpicking’ the Cyber Assessment Framework. Some operators of essential services reported fees from Competent Authorities and legal consultations as unexpected costs, but these costs were clearly stated in the impact assessment.[footnote 86] In response to the consultation impact assessment, the Regulatory Policy Committee outlined other possible costs that may be incurred by business,[footnote 87] which are addressed here in turn: i) Whether the directive affects the price of essential services and the number of workers employed by essential service providers. Hiring of additional staff was indicated by 43% of operators of essential services and 8% of relevant digital service providers as an action taken with regards to resourcing to support the implementation of the NIS Regulations when they were introduced.[footnote 88] However, the evidence indicates that the directive has had no significant effect on the price of essential services as the majority of organisations (93% of relevant digital service providers and operator of essential services) indicated not having passed any costs to consumers as a result of the introduction of the NIS Regulations or this not being applicable as organisations do not charge for their services/control the prices charged to consumers.[footnote 89] This is consistent with the 2020 NIS Post-Implementation Review in which only 1% of operators of essential services and 6% of relevant digital service providers reported having passed on costs incurred as a result of the Regulations to consumers.[footnote 90] ii) Whether the measures will have a disproportionate impact on small businesses. There is no direct evidence that the directive has had a disproportionate impact on small businesses. The impact assessment estimated that with one exception (in the digital infrastructure sector), no operator of essential services is a small or micro business, and small and micro businesses are specifically excluded from the DSPs aspect of the directive.[footnote 91] Although it is not clear what the overall size of the small business population brought into scope of the Regulations, no small organisations completed the online survey as part of the review process and none of the responding Competent Authorities indicated having a small businesses in scope of the NIS Regulations. This is different from the 2020 NIS Post-Implementation Review in which two small organisations completed an online survey as part of the review process, with two Competent Authorities having indicated having a small business in scope of the NIS Regulations. Small businesses were defined the same way as the 2020 Post-Implementation Review as having: not more than 50 employees; turnover \<£10.2m; and balance sheet total \<£5.1m. This means that as the NIS Regulations stand there is no direct impact on small and micro businesses as none have been identified as being in the NIS Regulations. Whilst there were 2 SMEs in the last review, these companies might have either fallen below the designation thresholds, ceased trading or could have grown into larger organisations. Unfortunately, DCMS does not keep data on which companies are designated under the NIS Regulations, so we cannot check which is true. From other evidence we have gathered, we do not have any evidence that the Regulations are overburdensome, as our estimated costs in the Impact Assessment were smaller for smaller businesses. iii) Whether costs will differ among essential service providers from different sectors (e.g. energy, transport and health care). In order to address this question we conducted further analysis to determine whether security investments across sectors systematically differed across and within spending categories (internal staff, physical security, and external costs). This analysis made use of the previously presented survey findings in which organisations were asked to report the amount invested in additional security measures as a result of the introduction of the NIS Regulations both in the last and next 12 months (Figures 7-8). An estimate of average amount invested by sector was obtained by taking the middle values in each of the cost brackets and applied to the proportion of organisations that reported invested, or planning to invest, in each sector. We have excluded from the analysis those respondents who indicated not knowing this information. Moreover, the analysis is only conducted where the number of respondents in the sector was greater than three to ensure anonymity of respondents. Finally, to account for possible time variations in investments (i.e. organisations investing more in the future as a result of having invested less in the past, and vice versa), comparisons across sectors were drawn using the average of past and estimated future investments reported. These findings are summarised in Table 7 below. Table 8: Estimated average annual investments in additional security measures across sectors[footnote 92] Organisations in the water sector have the highest average amount invested annually across the three spending categories, followed by organisations in the health sector. Overall, organisations in the health and transport sectors appear to have significantly lower average annual investments relative to organisations in the energy and water sectors. While one possible explanation for this could relate to differences in the preparedness for cyber security across different sectors, it is difficult to assess this without better understanding the main drivers for investment across different sectors. As such, this would be better addressed in subsequent reviews. DCMS will provide the competent authorities that request their sector’s data with a summary of the findings from their sector. Feedback is being highlighted to the competent authority to help them implement the Regulations as effectively as possible in their sector. Costs could vary between sectors due to the different nature of their network and information systems. iv) Whether the impact assessment has considered all the potential costs and benefits. Costly interaction between the NIS directive, the UK General Data Protection Regulation (GDPR) and the e-privacy directive. Relevant digital service providers indicated a link between NIS related investments in their organisation and measures taken to comply with the DPA 2018 and UK GDPR in 54% of the cases.[footnote 93] Moreover, all of the RDSP respondents who reported having strengthened existing processes/procedures for recovery from a security incident as a result of the NIS Regulations indicated that these processes were influenced or affected by the UK General Data Protection Regulations and the Data Protection Act 2018.[footnote 94] Next to this, 78% of operators of essential services and 86% of relevant digital service providers reported complying with the UK General Data Protection Regulation and the Data Protection Act 2018 as a reason for taking action to improve network and information systems security prior to the introduction of the NIS Regulations.[footnote 95] Despite these indications of an interaction between the NIS Directive and the UK General Data Protection Regulations, only one out of four organisations that responded to a question on challenges indicated this leading to an increase in costs as a result of having to assess incidents against additional criteria as well as exposure to fines under both NIS and UK GDPR. Based on this, and given that the approach of the directive was aligned with that of the UK GDPR we do not find substantial evidence of this interaction resulting in higher costs for organisations. With regards to financial penalties, the directive included a requirement that other legislation was taken into account to minimise duplication of fines, and thereby minimise the possible costly interaction between the NIS directive and other regulations. DCMS has taken note that one out of four organisations feels there is a costly interaction between the two sets of regulations and we will work with data policy stakeholders going forward to ensure any changes made to the NIS Regulations produces as little costly interaction as possible. Establishment costs for regulators. A multiple competent authorities approach was identified in the impact assessment as the most suitable approach, allowing lead government departments and regulators to build on their existing sector relationships and use their sector expertise to set guidelines and conduct enforcement activity. As set out in the impact assessment, lead government departments and the devolved administrations have provided their best estimate of additional resources from the information available. In order to assess the accuracy of the estimated establishment costs as part of the review process DCMS asked Competent Authorities to report the cost of implementation of the NIS Regulations, and establishment costs estimates have been updated accordingly. These estimates are laid out in the following section of the post-implementation review. Increase in revenue of digital service providers from providing security services to essential service providers . There is no specific evidence that there has been an increase in revenue of digital service providers from providing security services to essential service providers. 67% of operators of essential services who responded to the survey indicated having invested, or planning to invest, in external costs related to the security of their network and information systems for providing their services.[footnote 96] These costs included outsourcing the management of cyber security, hiring external consultants and/or expertise, among others.It is not clear whether there is an overlap between this category of external resource and the services provided by digital service providers in scope of the Regulations. As such, it is not possible to assess whether there has been an increase in revenue of digital service providers as a direct result of the introduction of the Regulations. Competent Authority costs Under the NIS Regulations, costs incurred by Competent Authorities to regulate NIS are in some cases being passed on to organisations. The impact assessment included high-level estimates of the annual costs of operating Competent Authorities. As part of the review process DCMS asked Competent Authorities to provide estimates of their annual costs incurred as a result of the NIS Regulations; of the ongoing annual costs they expect to incur in the future; and of their initial one-off implementation costs. This is summarised in Table 8. The figures suggest that in most cases the estimates in the impact assessment were too high, although the majority of Competent Authorities indicated expecting costs to increase in the future. Some of the drivers for future cost increases include the new legislative measures currently being proposed by DCMS as well as the delivery of the CAF framework. As a result of this, where a Competent Authority is passing on operating costs to organisations, increased operating costs will likely lead to increased costs to organisations. Proposed amendments to the regulations, including bringing new firms under the regulations or changing the incident reporting guidelines, may also increase future costs incurred by organisations. Why these changes are necessary, and how the Department intends to take action to make these changes, is explained in sections ten and eleven of this review. Where possible, estimated one-off implementation costs were taken from the NIS Post-Implementation Review 2020 as we consider figures to be more accurate since the review was closer to the implementation period.[footnote 97] Most Competent Authorities indicated that they incurred significant one-off implementation costs. Only Defra and the ICO previously indicated estimated one-off set up costs of £998,000 and £100,000, respectively in the impact assessment.[footnote 98] In both cases the initial implementation cost incurred was lower than those estimated in the impact assessment. Implementing the Regulations has led to other costs for government, which are addressed here in turn: In implementing the NIS Directive the UK was required to designate a single point of contact to act as a liaison on NIS matters within the EU and between different national competent authorities. The single point of contact’s core tasks include preparing a summary report of incident notifications and forwarding cross-border incidents to the single points of contact in other Member States. The NCSC is the UK’s single point of contact. These requirements will no longer apply following the end of the Transition Period, and the SPOC will have much more flexibility over what it must share internationally whilst remaining the core point of contact for the UK. As the UK’s national technical authority for cyber security, NCSC incurs costs in providing technical cyber security support to Competent Authorities. This includes continued development and maintenance of the Cyber Assessment Framework and associated guidance. As lead government departments, BEIS, DfT, DHSC, Defra, and DCMS incur staffing costs in the day-to-day management of the NIS Regulations, and in broader policy and review work. The Cabinet Office also has responsibility for managing and coordinating the National Cyber Security Strategy, of which the Regulations are a part of. Table 9: Estimated and reported Competent Authority annual costs, 2016 prices *Figures from NIS PIR 2020. **Where no future cost data was provided, it has been assumed that future costs will be equal to current annual costs The cost of operating Competent Authorities was calculated using the estimates provided by the Competent Authorities in Table 8. In Year 1, the cost was assumed to be the one off implementation cost plus the annual cost reported in the NIS Post-Implementation Review 2020.[footnote 103] Where competent authorities did not provide an estimation of their implementation costs in the 2020 NIS PIR, this cost was taken to be equal to the estimated cost provided by competent authorities in their report for this Review. Year 2 and Year 3 costs reflect, respectively, the annual costs and future annual costs reported in the NIS Post-Implementation Review 2020.[footnote 104] Year 4 and Year 5 cost figures are equal to the reported annual costs (Table 8). Costs in Year 6 onwards are assumed to be equal to reported future annual costs (Table 8). Where future costs were not provided, it is assumed that the annual costs will remain constant for the remainder of the appraisal period. The total one-off implementation cost of setting up Competent Authorities has been estimated as £1,913,379, while the total ongoing costs have been estimated to be £44,015,607 over the 10 year appraisal period, in 2016 prices. It has been assumed that Competent Authorities did not pass their initial implementation costs onto businesses, whilst it has also been assumed that the operating costs of the public sector regulators have not been passed on to their public sector operator of essential services. These are therefore costs to the government. The total cost of operating Competent Authorities has been estimated over the 10 year appraisal period to be £44,982,987 in 2016 prices. Sensitivity analysis has also been conducted to account for uncertainty in future costs by varying total costs by 20%. This gives low and high estimates of £40,264,896 and £56,081,017 respectively.
Benefits
The key benefit of the Regulations outlined in the impact assessment was the expected improvement in security which would lead to a reduction in the risks posed to essential services relying on networks and information systems. This in turn would benefit the UK’s economic prosperity as we rely on these services to support economic output and societal wellbeing. It was expected that these benefits would derive from both: a reduction in the number of incidents that have significant disruptive effects due to improved protective measures; and a reduction in the impact due to appropriate incident response plans being put in place. Incident reduction Building on the previous post-implementation review, DCMS has received incident data for the years of 2019 and 2020. NCSC, acting in its NIS Single Point of Contact role, collates NIS incident data with a year lag. In 2019 and 2020 there were 13 and 12 incidents respectively. Whilst there appears to be a decline in incidents by 1, this does not show us the risk that these organisations pose to the UK economy. Both operators of essential services and digital service providers were aware of the incident reporting thresholds with 93% and 92% of organisations respectively being aware of the thresholds.[footnote 105] Whilst 69% of digital service providers and 69% of operators of essential services found the incident reporting thresholds appropriate for their sector, 7 out of 9 competent authorities reported that the incident reporting threshold was too high, suggesting that the number of NIS incidents in its current form may be an inappropriate metric. The number of incidents reportable under the NIS Regulations is lower than initially expected in the impact assessment where the best estimate of annual incidents was 39. The number of incidents being lower than expected and decreasing is not likely to be explained by Covid-19, as the pandemic has seen the number of cyber incidents that NCSC are involved in increasing.[footnote 106] Overall, 59% of operators of essential services and 46% of relevant digital service providers who responded to the survey indicated having up-to-date incident response plans as a result of the introduction of the NIS Regulations.[footnote 107] As a result of this, the impact incidents have on the provision of services of organisations that fall in scope of the Regulations is likely to be reduced. Moreover, the increased cyber resilience as a result of this could mean that there has been a reduction in the number of incidents that meet the thresholds, although there is not enough evidence to conclude this. Due to the lack of sufficient evidence, it is not possible to build a counterfactual position of the amount of incidents that would have occurred had the Regulations not been introduced. Even if the number of attacks avoided could be calculated, estimating the cost associated with this would entail several difficulties. For example, although the Wannacry attack on the NHS in 2017 was well documented, the costs associated with it were only estimated on the grounds of lost output and IT costs, and did not incorporate the knock-on impact on patients with over 19,000 appointments cancelled.[footnote 108] Even without taking into account these social costs, the total financial cost of Wannacry was estimated at £92m.[footnote 109] This figure illustrates the potential benefits to the organisation itself of avoiding a cyber breach, thereby highlighting the significant positive impact that the Regulations can have on organisations. The Cyber Security Breaches Survey reveals that the mean cost of a cyber breach to medium/large UK businesses is £3,930 (in 2021 prices).[footnote 110] There are issues with using this estimate as they are the internal costs to businesses and do not include the social costs of an essential service being taken down. As the original impact assessment states, the rationale for intervention is centred on the cost to society and the negative externality that cyber risk in these organisations creates. The £3,930 figure also includes breaches that would never be reported under the NIS Regulations, such as phishing incidents, a second reason that the estimate is an underestimate and inappropriate to use in this analysis. Furthermore, the size of the benefit external to the organisation can be highlighted in research referenced in the Impact Assessment modelled the economic costs for a sophisticated cyber attack on the electricity distribution network in the South East of the UK. The modelled scenarios show a loss of electricity supply from an attack affecting between 9 million and 13 million electricity customers. The knock on effects include disruption to transportation, digital communications, and water services for 8 to 13 million people.[footnote 111] The economic losses to sectors were modelled to be in the range of £11.6 billion to £85.5 billion in the different variants of the scenario. The overall GDP impact of the attack amounts to a loss between £49 billion to £442 billion across the UK economy in the five years following the outage, when compared against baseline estimates for economic growth.[footnote 112] A recent attack on Kaseya demonstrated that digital service providers need to have good cyber security. Up to 1,500 firms were impacted as a result of a digital service provider being breached.[footnote 113] This again demonstrates the large impact outside of the firm a cyber attack can have and the negative externality from poor cyber security. This also highlights a further point raised by competent authorities about the risks posed by the supply chains of firms regulated by NIS. Although the estimated cost of the attack remains unclear, the cybercrime outfit initially demanded a payment equivalent to $70m.[footnote 114] Cyber threats to critical national infrastructure in the UK are an ever present threat. A recent independent report commissioned by Bridewell consulting found that 86% of the critical national infrastructure they interviewed have detected a cyber attack on their systems in the past 12 months. Of those 86%, 93% experienced at least 1 successful attack in the last 12 months.[footnote 115] This demonstrates that the examples above could turn into realistic recurring scenarios without the presence of good cyber resilience, enforced by the NIS Regulations. Other reported benefits Other benefits than incident reduction have been recorded in the surveys by both the organisations regulated and the competent authorities. 71% of operators of essential services stated that they have an increase in board support for cyber security, and 43% reported the regulations improving their understanding of organisations’ aggregate risk.[footnote 116] Only 13% of operators of essential services reported not having any unexpected benefits.[footnote 117] Other sighted benefits in open text responses include: improving the way they assess their supply chain; improving engagement with customers; and two organisations stated an improvement in general awareness of cyber security. Relevant digital service providers indicated less unexpected benefits than operators of essential services, as 46% of respondents said they had no unexpected benefits.[footnote 118] 31% of relevant digital service providers did report having an improved understanding of their firms’ aggregate risks, 31% also stated they have increased board support for cyber security and 23% stated updating general incident management processes.[footnote 119] These benefits were lower than reported in the last post-implementation review across all respondents who reported having improved their understanding of their organisations risk (-51% to the last Post-implementation Review), updated general incident management processes (-44%), increased board support for cyber security (-34% to the last Post-implementation Review), and having shared good practises with other relevant digital service providers (-100% to the last Post-implementation Review). These benefits still exist, there are just fewer respondents reporting them.
Aggregated costs and benefits
The costs and benefits have been developed from the last review, where certain unknowns such as the number of incidents that are reported under the NIS Regulations are now based on data from previous years. Assumptions that have now been proven to be wrong such as physical costs being a set-up cost instead of an ongoing cost, we have now amended this assumption in our modelling and is 1 reason why costs have increased. Whilst the benefits section was not able to deliver a monetised benefit, this is something that will always be a problem no matter the review period, or resources available. Using evaluation techniques such as quasi experimental designs would not be possible due to the differing regulations in various other countries meaning it would be impossible to determine what is driving the impact. There would also be the issue that other countries report on different definitions of cyber incidents, and some not at all. The total net present value (table 9) was calculated by aggregating the total quantified costs over the 10 year appraisal period, deflating to 2016 prices and discounting at a rate of 3.5% to a base year of 2018. While it has been assumed that Competent Authorities did not pass any of their initial implementation costs onto organisations, costs incurred by Competent Authorities of regulating private sector organisations have been assumed to have been passed on to business, although costs may not have been transferred by all Competent Authorities, and certain costs cannot currently be transferred due to limitations on cost recovery powers (see Section 10). Consistent with the impact assessment, the benefits have not been quantified for the reasons examined above. Estimated figures from the Impact Assessment and calculations for this PIR are presented below: Table 10: Total costs and benefits There has been a large increase in the net direct cost to business. This has mainly been due to two reasons: a change in assumptions around spending on additional cyber security costs; a correction on the last post-implementation review due to a calculation error. Firms spending more money on their cyber security, whilst counted as a cost, should increase the benefits, provided the spending is carried out on the right cyber security activities. This increased security will lead to a lower risk posed to the UK economy from a firm’s cyber security, a key aim of the policy. For this policy to break even based on the likely under estimate of the wannacry attack at £92m the NIS Regulations would have to avoid less than 1 wannacry attack per year, although given the likely underestimate of this cost it is likely to be a much lower rate than 1 per year. DCMS’s work on quantifying and monetising the cost of breaches going forward will help to better assess the breakeven of the NIS Regulations going forward.
There is strong evidence that government intervention in the form of these regulations is still required. Analysis done through this Post-Implementation Review has indicated that there are incentives to improve network and information systems security (please refer to section 5); these vary from previous experiences of a breach to incentives to avoid financial loss and maintain business continuity.
Compliance with other regulations has also been cited as a reason; however, since the introduction of the NIS Regulations, there has been a marked increase in the introduction or strengthening of policies and processes to protect network and information systems. Considering that there is a lack of financial incentive for investment in this space, and the potential impact on the operator and the wider economy due to a breach, it is vital that these improvements continue at a rapid pace. Without regulation, new emerging sectors risk being undermined by operators offering insecure services, putting customers and ultimately the economy at risk.
This aligns with responses from the May 2021 Supply Chain Call for Views.[footnote 120] Respondents indicated that despite supply chain cyber security risk being a concern, there was little will from companies themselves to prioritise investment in this area. In the 2021 Cyber Security Breaches Survey, only 36% of large firms reviewed the cyber risks from their immediate suppliers. This highlights the need for regulation to assist organisations in managing their cyber risk. In the Supply Chain Call for Views, respondents were asked about 5 different government actions.[footnote 121]
More than 80% of respondents stated that each of the 5 government actions to incentivise higher quality of supply chain risk management would be at least somewhat effective. The action with the highest proportion of respondents stating it would be very effective was the option to implement "Regulation to make procuring organisations more responsible for their supplier risk management" with 58% of responses being it would be ‘Very effective’.[footnote 122] It can be assumed from this feedback that regulatory incentives are, from industry’s perspective, still deemed the most effective way to drive behavioural change. It is important to note that the government seeks overall to maintain a proportionate approach, and will balance more forceful interventions such as the NIS Regulations, with softer involvement.
Other levers to improve cyber security in UK companies are being explored, such as raising awareness through cyber insurers and other market influencers. These alternative interventions however will apply largely to firms with a lower risk to the economy should they have a cyber breach. DCMS deems that market intervention is still required for the firms that are essential to the UK economy and that the tools used to implement the NIS Regulations such as the Cyber Assessment Framework, ensure that these firms implement the required cyber security improvements.
In order to ensure that the regulations remain appropriate and that their effectiveness is evaluated appropriately, this Post-Implementation Review recommends that the government consider more in-depth and tailored key performance indicators for the next reporting period. As the next Review is due in no more than 5 years time, this will allow for a more in-depth study; the following sections on areas for improvement and next steps will consider the need for this.
The ISO/IEC 27001 standard enables organizations to establish an information security management system and apply a risk management process that is adapted to their size and needs, and scale it as necessary as these factors evolve.
People also ask
Who manages the national cyber security regulations?
What were the policy objectives of the Network & Information Systems regulations 2018?
Are there incentives to improve network and Information Systems Security?
What does an entry-level systems manager do?
What are the network and Information Systems (NIS) Regulations 2018?
How effective are the Network & Information Systems regulations?
Aug 21, 2024 · Network Management: Systems managers often oversee information technology departments and help manage an organization's networks. This includes wireless networks, cloud storage, and other systems of data storage and communication.
