Earlier this year, the UK government passed non-binding regulation around the EU National Information Security (NIS) Directive v2. The regulation mandates that cloud service providers follow certain information security practices based upon their size and annual revenue. During a meeting with the MSP Division of the National Cyber Security Centre, regulation for managed service providers (MSPs) in the UK was shared. MSPs will be regulated under the UK version of NIS2 right alongside cloud service providers, with the UK Information Commissioner’s Office serving as the regulator.
The UK government originally passed the EU NIS regulation in May 2018 intending to better protect critical national infrastructure (CNI) in the UK. The basis for this regulation in the European Union (EU) was to standardize the level of preparedness across the Union. The other main objectives—besides standardization—were to promote a culture of risk management and the reporting of incidents.
Since then, both the EU and the UK have crafted legislation which adds managed service providers into the updated NIS regulations. Termed NIS2, this new legislation will require MSPs to adhere to a set of principles for better cybersecurity to protect critical national infrastructure.
What Does it Mean to Me as an MSP?
The EU NIS2 Directive has 31 minimum security measures, which are not prescriptive in nature like most frameworks around cybersecurity, however they are aligned and mapped to three major global frameworks. The UK version of NIS2 for the MSPs has not been finalized as of this article, and the final safeguards won’t be known until Parliament votes on the legislation. Regardless, the EU member countries must each pass the NIS2 Directive locally before the deadline of October 2024. The UK legislation is currently waiting for a slot on the parliamentary schedule. With an election coming next year, the UK guidance for MSPs may take a little longer to be enacted.
In addition to protecting critical national infrastructure, this legislation is designed to lessen the economic impact a cyber incident may have on a country’s economy. Governments around the world recognize that small businesses are the backbone of any economy. Cyber incidents have had a major impact on those businesses over the past several years.
The SMB space should really take a hard look at themselves and the impact their business has on their local economy. For example, approximately half the U.S. gross domestic product comes from small and medium businesses with fewer than 500 employees. Unfortunately, other countries, including the EU, do not have formal numbers on the impact their small and medium businesses have on the local GDP. Regardless, many governments around the world are contemplating similar legislation. Change is coming for the industry and the industry needs to be prepared.
Compliancy Will Lead to Opportunity
Right or wrong, regulation through compliance has large risk for all sizes of MSPs. The fines associated with non-compliance will push many smaller MSPs out of business. That will also have a negative impact on the economy if MSPs are not properly prepared. MSPs have an opportunity to get started with implementing these security measures proactively. Getting your organization ready does not necessarily mean the organization must spend an enormous amount of capital.
Implementing these security measures are the first step in lowering the impact from a security incident, too. Jumping into implementation, and where to start, should be a calculated decision, not necessarily a “start at the top and work down” approach. In addition, you may find you have implemented some of these security measures already. Keep that in mind as you are reviewing these measures. I also strongly recommend you assess the risk for each of them against your organization and start with implementing those which may have the greatest impact on your organization.
As with any undertaking of cybersecurity, please reach out to other members of the CompTIA UK & Ireland Community for assistance and guidance if needed. There are others around the globe who have evaluated and implemented a number of these security measures. Use their lessons learned to save yourself from frustration and aggravation. Please remember, these are the minimum standards. As a MSP you have other safeguards you need to implement to enhance your security posture and further reduce the impacts of a security incident. Finally, this is not a checklist exercise. Ensure you incorporate continuous monitoring, alerting and reporting activities to allow the organization to grow maturity in your cybersecurity.
Want to Get Recognized as a Cyber-First Organization?
Learn more about earning the CompTIA Cybersecurity Trustmark
Wayne R. Selk, CDPSE, is the vice president of cybersecurity programs at CompTIA.