The main cyber security law in the UK is the Network and Information Systems Regulations 2018. Despite a year-on-year increase in serious incidents, new data shows there has been no meaningful enforcement of this law over the last few years. We consider if that might, in fact, be a good thing.

The NIS Regulations

The Network and Information Systems Regulations 2018 (“NIS Regulations”) are currently the main cyber security law in the UK. It implemented the EU’s NIS Directive (EU) 2016/1148 and regulates both operators of essential services (such as electricity and water suppliers) and digital service providers (such as online marketplaces and cloud computing).

The regulations impose a number of important obligations on those entities including to:

• take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the systems on which the service relies; and

• notify the relevant competent authority of an incident which has a significant impact on the continuity of the essential service. This should be made within 72 hours of becoming aware of the incident.

They are enforced using a “distributed model” in which there is no single regulator and instead regulators are appointed along sectorial lines. For example, gas and electricity providers are partly regulated by Ofgem, water suppliers are partly regulated by Defra and so on. It is also worth noting financial services firms fall outside the scope of these regulations as there are sufficient controls in their existing regulatory framework.

Breach of the NIS Regulations can lead to an enforcement notice to remedy the breach and fines of up to £17 million.

No meaningful enforcement over the last four years

Despite addressing issues of considerable significance, the NIS Regulations are something of an unknown. There is very limited public information available about how these regulations are enforced in practice. We therefore made freedom of information requests to the key regulators for each sector for calendar years 2021-2024. The full responses are in the table here. In summary:

• There has been a year-on-year increase in notifications of significant incidents. There were 18 in 2021, 33 in 2022, 82 in 2023 and 99 in 2024.

• The bulk of the notifications relate to digital service providers (online marketplaces, cloud computing etc), health, drinking water, road and rail.

• The deadline to notify serious incidents was missed in 17% of cases.

• Most importantly, no formal sanctions were imposed. In two cases in the drinking water sector, “formal investigations” were instigated and a recommendation made. Details are not provided, though that does not appear to have involved the use of a statutory Information Notice or exercise of the statutory Power of Inspection.

The reasons for the lack of formal enforcement are not clear. One reason might be the “distributed model” for regulation under which there is no single regulator and instead this is foisted on existing sectorial regulators.

This does have some benefits. For example it means the risks can be assessed with the benefit of deep sector expertise. However, it means that “cyber” is just one of the many pressing issues the regulator must address and the regulator may well lack the confidence and expertise to tackle the deeply technical subject matter. (It is interesting to note that this issue may also arise in relation to enforcement of the AI Act in the EU, where many Member States have also opted for a “distributed model” when appointing market surveillance authorities).

The GDPR

Importantly, these regulations sit alongside the UK GDPR, but do not entirely overlap. For example, an attack on the UK’s electricity distribution network would fall squarely within the scope of the NIS Regulations. However, it may involve limited or no personal data and so not be a personal data breach or subject to the security measures in the UK GDPR.

The enforcement approach is slightly different under the UK GDPR. The Information Commissioner has been more active, issuing three fines over the same period (2021-2024) totalling around £4.5m. He was also much more active in the previous year (2020) where he issued three fines totalling almost £40m, and he has issued a significant new fine this year for £3m after an NHS provider fell victim to a ransomware attack. However, enforcement is still sporadic, and most recent breaches have just resulted in a reprimand.

Laws are not magic and harsh enforcement may not stop attacks

The other reason for the lack of enforcement may be that this does not always result in the right outcomes in practice.

After all, law is not magic. Each year more and more laws are passed around the world with fresh obligations on companies to keep their systems secure – but the attacks keep on coming.

The EU has been working especially hard to legislate cyber-attacks out of existence with a swathe of new laws including DORA, the Cyber Resilience Act, the Cyber Solidarity Act and, of course, the NIS 2 Directive (here). They are all significant in their own way and extend the scope of existing cyber security laws.

NIS 2 and DORA are particularly relevant as they will bring cyber to the board room and force directors to be trained on cyber. If that sounds welcome, the national implementation of NIS 2 may be less appealing. Some Member States are planning to make directors personally liable, and even suspend them as directors, for a breach.

No company wants to be subject to a cyber-attack. Regardless of any regulatory sanction, a cyber-attack is a traumatic and costly affair, and most companies have made significant investments to implement and test their cyber defences.

In our experience, having to manage a regulatory investigation alongside a live incident complicates the response and drags attention away from the practical resolution of the attack, and towards liability management. It can also close down clear and frank lines of communications (particularly with the regulator) because of the fear of subsequent enforcement.

In particular, when implementing the NIS Regulations, the Government took a deliberate decision not to ask the National Cyber Security Centre to act as regulator. While it has significant expertise, it has no enforcement powers. It is there as a “friend” for companies needing help in times of crisis.

Forcing disclosure of this information

This information was not easy to obtain. It required freedom of information requests to multiple regulators, and some were extremely unwilling to provide this information. The information we wanted was very high-level but some regulators resisted disclosure on a variety of bases, including that disclosure would imperil national security. In the end, it was necessary to get the Information Commissioner to order disclosure (Decision Notice IC-299337-B4V1).

It is also interesting to note the Department of Health and Social Care did not hold information about serious incidents. It is not clear why this is the case. It seems highly likely that the high profile cyber-attacks on English hospitals during that period should have been notified to the Department.

Conclusions

So perhaps the current lack of enforcement in the UK is a good thing? When the Government introduces its new Cyber Security and Resilience Bill this year it should think carefully about whether ramping up enforcement gets better results in practice and remember that companies are the victims of these attacks, not the perpetrators.

The data supporting this article is here.