In case you have been living under a rock, without a WiFi connection, or in some other inhospitable place devoid of trade news and / or gossip, the government has updated the Network and Information Systems (NIS) Regulations.
This is a move away from the EU standard and it brings some changes for our sector. After pawing my way through a lot of government stated self-congratulatory fluff, I eventually managed to find something of substance to indicate what the new NIS changes actually mean to the MSP channel.
The ICO sums it all up in a few bullet-pointed paragraphs:
NIS is intended to establish a common level of security for network and information systems. These systems play a vital role in the economy and wider society, and NIS aims to address the threats posed to them from a range of areas, most notably cyber-attacks.
Although NIS primarily concerns cybersecurity measures, it also covers physical and environmental factors.
NIS applies to two groups of organisations: ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSPs). This guide provides details about the requirements NIS places on RDSPs. Although aimed at RDSPs, it may also be useful for OES.
There is a general exemption for digital services that are small and micro-businesses, unless they are part of a larger group or are controlled by larger organisations.
The ICO is the ‘competent authority’ for RDSPs. We have a range of powers that we can use to enforce NIS, including issuing fines of up to £17 million in the most serious cases.
In short, the big change is that MSPs are now in scope and to be included in their clients’ compliance with the NIS Regulations. Naturally, this brings with it both increased responsibility and liability for certain services. Like other things that the ICO governs, the regulation is written in a bit of a vague way; I imagine that this is to allow for developments over time, and for precedents to be set so as to make it all a bit more intelligible.
The plus side is that a few less reputable MSPs may find themselves regulated out of the trade, leaving opportunity for those that deliver consistently high quality services to their clients, to move in and do things professionally for appropriate remuneration.