On The Effectiveness of the UK NIS Regulations as a Mandatory Cybersecurity Reporting Regime
This research addresses the problem of limited effectiveness in mandatory cybersecurity reporting for policymakers and stakeholders in the UK, highlighting incremental insights into regulatory gaps.
The study tackled the lack of empirical data on cyberattacks in Critical National Infrastructure by analyzing UK-wide incident reports under the NIS Regulations in 2024, finding that 29% of reports were cybersecurity incidents and revealing a gap where 30 incidents were reported under NIS compared to 89 captured by the National Cyber Security Centre.
Existing cybersecurity literature lacks a source of empirical, representative data as to the true nature of cyberattacks on Critical National Infrastructure. We have obtained UK-wide data on incidents reported under the Network and Information Systems (NIS) Regulations in 2024 causing "a significant impact on the continuity" of essential services and comparator data from intelligence agencies. We find that 29% of NIS reports already concern cybersecurity incidents. As the UK Government seeks to extend cybersecurity reporting, we find the NIS Regulations are limited in their effectiveness; whilst our requests revealed 30 cybersecurity incidents reported under the NIS regulations, there were 89 incidents classified as "highly significant and significant" captured by the National Cyber Security Centre in the 2024 reporting year. Whereas 36% of Cybersecurity and Infrastructure Security Agency reported attacks concerned espionage, from NIS data we find 100% NIS-reportable cyberattacks concerning healthcare systems in England in 2024 were ransomware.