Search papers, labs, and topics across Lattice.
This paper analyzes the effectiveness of the UK's Network and Information Systems (NIS) Regulations as a mandatory cybersecurity reporting regime by comparing NIS-reported incidents with data from intelligence agencies. The study reveals that NIS reports capture only a fraction of significant cybersecurity incidents affecting Critical National Infrastructure. The analysis also highlights a stark contrast in the nature of attacks, with NIS reports for healthcare showing a complete focus on ransomware, while CISA data shows a significant portion related to espionage.
The UK's mandatory cybersecurity reporting regime misses over 65% of significant cyber incidents affecting critical infrastructure, suggesting current regulations are insufficient for comprehensive threat visibility.
Existing cybersecurity literature lacks a source of empirical, representative data as to the true nature of cyberattacks on Critical National Infrastructure. We have obtained UK-wide data on incidents reported under the Network and Information Systems (NIS) Regulations in 2024 causing"a significant impact on the continuity"of essential services and comparator data from intelligence agencies. We find that 29% of NIS reports already concern cybersecurity incidents. As the UK Government seeks to extend cybersecurity reporting, we find the NIS Regulations are limited in their effectiveness; whilst our requests revealed 30 cybersecurity incidents reported under the NIS regulations, there were 89 incidents classified as"highly significant and significant"captured by the National Cyber Security Centre in the 2024 reporting year. Whereas 36% of Cybersecurity and Infrastructure Security Agency reported attacks concerned espionage, from NIS data we find 100% NIS-reportable cyberattacks concerning healthcare systems in England in 2024 were ransomware.
