At least 432 businesses in the UK are likely to be affected by the Network and Information Systems (NIS) Regulations 2018, according to an impact assessment carried out by the UK government.
The act is to come into force next month in line with the EU Network and Information Services Directive. The regulations are aimed at improving infrastructure resilience for UK critical infrastructure providers.
In an explanatory note, accompanying the act, around 432 businesses will be affected by these regulations across the five sectors of water, digital infrastructure, energy, health, transport and digital service providers. The note said that administrative costs will be incurred by businesses as they familiarise themselves with the legislation and its implications for their firm.
It said that the familiarisation cost for large essential services is estimated to be £278,601 while for medium and small businesses they are £12,544 and £1,320 respectively. It added that the estimated total cost of operating the competent authorities is £4,104,035 per year.
According to the impact assessment, there are 268 health sector organisations that will be affected by the new regulations. Any cost borne by these organisations due to the Directive will be counted as costs to government and not included in the business impact target, it said.
The assessment said that the set-up costs for implementing these Regulations is £23,410,341 for government, and £32,483,885 for businesses in the first year.
Requires a good understanding of business systems
Azeem Aleem, global director of the Worldwide Advanced Cyber Defence Practice at RSA Security, told SC Media UK that the regulations have “slipped somewhat under the radar, but the requirements will have significant consequences for those it applies to”.
“In order to meet the new requirements, companies must have really good visibility into their systems and context around all of the user or machine activities taking place. This means conducting regular, thorough risk assessments, understanding the dependencies between systems, using advanced threat detection to monitor systems for sign of an attack and contextualising any suspicious results in order to prioritise where security analysts should focus their efforts,” he added.
Justin Lowe, a digital trust and cyber security expert at PA Consulting Group, told SC Media UK that one caveat to bear in mind is that the NIS directive might not apply to all of an organisation’s operations.
“Companies should examine their services and determine which would be considered ‘essential services’ under the directive. It is also important for companies to understand these services can be dependent on others, whether these are internal services or external third parties, and the OES will be responsible for the resilience of its suppliers and supply chain,” he said.