A Joint Select Committee has warned that that the Network and Information Systems Regulations 2018 are not a ‘silver bullet’ when it comes to protecting Critical National Infrastructure (CNI) from cybersecurity threats.
The Committee’s misgivings are set out in their 2nd report emerging from their inquiry (the first dealt with cybersecurity skills.)
The report itself more generally covers the challenges for protecting national infrastructure, outlines the National Cyber Security Strategy and defines what ‘critical’ means in this context but in Part 4 it deals with the NIS Regulations. While welcoming the more robust regulatory framework these regulations introduced, and which they expect to “set a higher benchmark for cyber risk management“, the report’s authors go on to say the NIS Regulations are not a ‘silver bullet’ because:
- “of their limited scope, leaving some CNI sectors still without statutory regulation and enforcement powers for cyber risk management;
- of the fragmented responsibility for the NIS Regulations’ implementation across Whitehall, Devolved Administrations and regulators remains confusing and acts as a barrier to cross-sector consistency and collaboration—in particular, the introduction of joint Competent Authorities in some sectors clouds accountability and effectiveness; and
- some designated ‘Competent Authorities’ currently lack the expertise and capacity to provide credible assurance of operators’ efforts—an issue we addressed directly in our July Report on cyber security skills.
We are therefore concerned that the NIS Regulations will not be enough in themselves to achieve the required leap forward in cyber resilience across all CNI sectors.”
The Committee is also concerned of the potential impact of Brexit, “given that cyber threats do not stop at national borders” and so they urge the Government to “prioritise maintaining access to the EU’s NIS Coordination Group and its workstreams to facilitate continued information-sharing and collaboration with EU Member States.”