Critical Infrastructure Security , Geo Focus: The United Kingdom , Geo-Specific
Tories: Firms Should Pay More for Cybersecurity RegulationUK Government Presses Ahead With Proposal to Charge for Regulation
The Tory U.K. government says businesses should pay more for administrative costs associated with cybersecurity regulation and vowed Wednesday to obtain Parliament's approval for an expanded cost-recovery mechanism.
See Also: 6 Critical Capabilities for an Application GRC Solution
Businesses that come under the country's chief cybersecurity directive, the Network and Information Systems Regulation, already must reimburse their governmental overseers, such as the Information Commissioner's Office or sector-specific specialists such as energy regulator Ofgem, for some regulatory actions, including inspections.
Conservatives including Julia Lopez, the minister who heads the Department for Digital, Culture, Media & Sport, have said the private sector should pay more, including potentially for the cost of enforcement or independent reviews of enforcement actions requested by regulated entities. Potential models include direct invoicing or having regulated entities periodically pay into a regulatory fund.
"It is government policy that charges for services provided by public sector organisations normally pass on the full cost of providing them," the government wrote earlier this year in a public consultation over potential NIS updates.
"I assume their logic will be, 'Why should the British taxpayers subsidize the regulation of Amazon when they don't pay tax here, and they do compete against good old British shops,'" said Jonathan Armstrong, a London-based attorney with Cordery Compliance Ltd.
A majority of organizations responded to the public consultation with displeasure over the prospect of paying for enforcement, telling the department they have concerns over creating perverse incentives for regulators.
A Nov. 30 statement from the department and Lopez said the government will press forward some increased form of cost recovery, saying a forthcoming proposal will establish a regulation "that is more transparent and takes into account the wider regulatory burdens, company size, and other factors to reduce taxpayer burden."
The government downplayed concerns about creating incentives for enforcement, writing in its response to the public consultation that "the proposal is to expand cost recovery to cover enforcement costs, rather than use enforcement as an additional income to cover wider NIS costs." Regulators will only charge businesses for costs directly related to enforcement, departmental officials wrote.
The NIS updates will come "as soon as parliamentary time allows," the statement added - language suggesting that the government is aware that the proposal could generate controversy, Armstrong told Information Security Media Group.
Additional changes favored by the government include expanding the scope of regulations to more firmly include IT managed service providers. In addition to critical infrastructure sectors such as gas, rail and air transport and healthcare, NIS directs "digital service providers" such as search engines and cloud computing services to undertake cybersecurity measures and report to the Information Commissioner's Office any incident that has a substantial impact on the provision of services.
Overlap exists between a digital service provider and a managed service provider making the expansion in scope significant but also in large measure a clarification, Armstrong said. The government says it does not consider software development a managed service.
The government also says it wants to require more cybersecurity incident reporting, since the current NIS threshold is for events that effect continuity of service.