Cloud computing, search engines, and the services that underpin the internet are to be considered to be part of the UK’s vital infrastructure, alongside clean water and power, under new rules aimed at boosting cybersecurity.
Under the European Union’s Network and Information Systems (NIS) directive, businesses that provide essential services will have to make sure their security is good enough to protect their network and information systems from attack, as well as having to notify the relevant authorities of serious incidents.
The regulations apply to critical national infrastructure—those basic services without which society will gradually grind to a halt.
These include healthcare, airlines, airports and air traffic control, ports, local and national rail networks, and road transport authorities. It also covers the supply and distribution of drinking water; electricity sale, distribution and transmission; oil production, refining and treatment; and gas supply, storage, sales, and distribution.
The most eye-catching feature of the guidance published by the UK government is the threat of fines—up to £17m—for companies that suffer a breach and are shown to have failed to have put effective cybersecurity measures in place. But perhaps more interesting is the recognition that cloud computing and other digital services are now considered essentials too.
That’s because directive also covers a number of digital services, and requires top level domain (TLD) name registries, domain name services (DNS) and internet exchange point (IXP) operators to comply.
Cloud computing services providers, online marketplaces, and search engines will be covered by the NIS directive, although regulation is lighter, as regulation and enforcement can only be applied after an incident, and companies with fewer than 50 staff or an annual turnover of less than €10m are excluded.
A number of responses to a consultation on the directive had said that software as a service should be excluded, but the government responded: “Software-as-a-service providers play an important role in the UK’s economy and it is right that they are held responsible for ensuring the security of their network and information systems.”
The government defines cloud computing services as something that enables access to a scalable and elastic pool of shareable physical or virtual resources, which can include infrastructure as a service, platform as a service, and software as a service. However, this does not include most online gaming, entertainment, or VoIP services, as the resources available to the user are not scalable, but may include services such as email or online storage providers, where the resources are scaleable.
While the NIS directive, due to become part of UK law in May, has emerged from Europe, Brexit is unlikely to derail it. The government said that on exit from the European Union these policy provisions will continue to apply in the UK.
The UK’s National Cyber Security Centre (NCSC) has published detailed guidance on the security measures to help organizations comply.