Today I am publishing the statutory post- implementation review of the Network and Information Systems Regulations 2018 on the Government’s website. This is the second review of the regulations since their implementation.
The regulations came into force in May 2018. The objective of the regulations is to improve the security of network and information systems which are critical to the provision of essential services and digital services which, if disrupted, could cause significant economic and social harm to people, businesses, and critical national infrastructure.
The Department for Digital, Culture, Media and Sport has assessed the impact, costs and benefits of the regulations, how effective the regulations have been in achieving the original objectives, and whether those objectives remain appropriate for the UK four years on.
The review is clear that the regulations have acted as an accelerator for improvements to the security of regulated organisations. Regulated organisations have shown an increase in the prioritisation of cyber security at senior level, increased investment in cyber security from boards, the introduction or improvement of cyber security policies, improved incident response management, and a greater awareness of aggregate risks.
The review concludes that the regulations are an effective tool to drive good cyber security behaviours. As such, it recommends that the Government retain the regulations to continue to incentivise organisations in scope to make security improvements.
The report also makes recommendations for changes to strengthen and future-proof the regulatory framework, so that it can adapt effectively to the rapidly evolving landscape. These changes were included in my Department’s public consultation on proposals for cyber security-related legislation in January this year. The outcomes of this consultation will be published later this year.
The next statutory post-implementation review of the regulations will be carried out in the next five years.