At least 432 businesses in the UK are likely to be affect by the Network and Information Systems (NIS) Regulations 2018, according to an impact assessment carried out by the UK government.
The act is to come into force next month in line with the EU Network and Information Services Directive. The regulations are aimed at improving infrastructure resilience for UK critical infrastructure providers.
In an explanatory note, accompanying the act, around 432 businesses will be affected by these regulations across the five sectors of water, digital infrastructure, energy, health, transport and digital service providers. The note said that administrative costs will be incurred by businesses as they familiarise themselves with the legislation and its implications for their firm.
It said that the familiarisation cost for large essential services is estimated to be £278,601 while for medium and small businesses they are £12,544 and £1,320 respectively. It added that the estimated total cost of operating the competent authorities is £4,104,035 per year.
According to the impact assessment, there are 268 health sector organisations that will be affected by the new regulations. Any cost borne by these organisations due to the Directive will be counted as costs to government and not included in the business impact target, it said.
The assessment said that the set-up costs for implementing these Regulations is £23,410,341 for government, and £32,483,885 for businesses in the first year.
“Annual on-going costs to businesses are £21,786,176 (from Year 2) in the best estimate. Costs to government includes £176,931 familiarisation cost, £147,148 compliance cost, £38,262 reporting cost, and £23,048,000 additional cyber security spending,” said the note.
Azeem Aleem, global director of the Worldwide Advanced Cyber Defence Practice at RSA Security, told SC Media UK that the regulations have “slipped somewhat under the radar, but the requirements will have significant consequences for those it applies to”.
“In order to meet the new requirements, companies must have really good visibility into their systems and context around all of the user or machine activities taking place. This means conducting regular, thorough risk assessments, understanding the dependencies between systems, using advanced threat detection to monitor systems for sign of an attack and contextualising any suspicious results in order to prioritise where security analysts should focus their efforts,” he added.
Jalal Bouhdada, founder and principal ICS security consultant for Applied Risk, told SC Media UK that the NIS Directive seems to have escaped much of the limelight in the build up to its implementation, with the GDPR frequently receiving the media's attention.
“That could be down to a lack of attacks against critical national infrastructures, as recent revelations from the UK's National Cyber Security Centre revealed that it has prevented over a thousand cyber-attacks in the last year, none of which were aimed at such technologies,” he said.
“But there have been many examples of these attacks within Europe and further afield, with experts now predicting that attacks on critical infrastructures are set to increase by 100 percent over the next two years, due to the rise of internet connected devices and a digital skills shortage. Now is therefore the time to start preparing for its implementation.”
Justin Lowe, a digital trust and cyber security expert at PA Consulting Group, told SC Media UK that one caveat to bear in mind is that the NIS directive might not apply to all of an organisation's operations.
“Companies should examine their services and determine which would be considered ‘essential services' under the directive. It is also important for companies to understand these services can be dependent on others, whether these are internal services or external third parties, and the OES will be responsible for the resilience of its suppliers and supply chain,” he said.