Framework FAQs
      Back to home
      2. Framework FAQs

      What are the incident reporting requirements under the Cyber Security and Resilience Bill?

      This article summarises the incident reporting requirements under the Cyber Security and Resilience Bill and how this affects MSPs

      The Cyber Security and Resilience Bill will reform and add to the existing Network and Information Systems (NIS) Regulations 2018, to increase UK defences against cyber attacks.

      The Bill will make crucial updates to the legacy regulatory framework by:

      • expanding the remit of regulation to protect more digital services and supply chains (such as MSPs)
      • providing regulators with greater powers to ensure essential cyber safety measures are implemented. 
      • mandating increased incident reporting to give government better data on cyber attacks, 

      How does this affect MSPs?

      Medium and large managed service providers who meet the definition of a ‘relevant managed service provider’ (RMSP) are brought into the scope of the Network and Information Systems (NIS) Regulations 2018. RMSPs will be required to have appropriate and proportionate measures in place to manage risks posed to them and report significant incidents to their regulator. This includes reporting of incident to their regulator, the the Information Commission (IC) (formerly the Information Commissioner’s Office, or ICO).

      What is the reporting requirement for RMSPs

      A light touch, initial notification within 24 hours and a full report within 72 hours, while the National Cyber Security Centre (NCSC) will be informed of incidents at the same time as regulators. This will enable regulators and the NCSC to better support affected organisations with rapid responses, identify systemic vulnerabilities, and implement targeted interventions to strengthen the resilience of the relevant sector.

      24 Hour Notification

      The initial 24 hour notification is intended to alert the regulator and NCSC to the fact that an incident is happening, so that they are able to offer support to the entity at an early point. The notification should include the entity’s name, the service to which the incident relates, and brief details of the incident.

      72 Hour Full notification

      Full notification will be required to contain more detailed information known to the entity. This includes:

      • organisation name and the service to which the incident relates; the time the incident occurred and whether it is ongoing
      • information about the nature of the incident
      • whether the incident was caused by a separate incident affecting another regulated entity
      • information about the impact or likely impact of the incident
      • any other information that the organisation considers might be helpful for the regulator to know in order to fulfil its functions.

      What type of incident should be reported?

      RMSPs will be required to report incidents that fulfil three criteria:

      1. The incident has adversely affected, or is adversely affecting, the operation or security of network or information systems relied on to provide the essential service

      2. The impact of the incident has been, is, or is likely to be significant

      3. The impact of the incident relates to the whole or part of the UK.

      The Bill also lists a number of factors that should be considered when deciding whether or not an incident has had, or is likely to have, a significant impact in the UK such as:

      • the extent of any disruption or potential disruption
      • the number of users affected or likely to be affected
      • the duration of the incident
      • the area that has been or could be affected
      • whether the confidentiality, authenticity, integrity or availability of data relating to users has been, or is likely to be, compromised.

      For digital and managed service providers only, the factors will also include whether there has been, or is likely to be, any impact on the network and information systems of the services’ users; and any impact that the incident has had, is having, or is likely to have on the economy or day-to-day functioning of society.

      Advising Customers

      After full notification to the Information Commission, RMSPs will have to identify whether any of their customers are likely to have been adversely affected by the incident and then notify those customers, providing details of the incident and the reasons for which they consider the customer is likely to have been affected. This is to allow the customer to take their own measures to mitigate any adverse impacts on them.