On The Effectiveness of the UK NIS Regulations as a Mandatory Cybersecurity Reporting Regime

TL;DR

This study evaluates the UK NIS Regulations' effectiveness in cybersecurity incident reporting by analyzing 2024 data, revealing significant underreporting and a focus on ransomware in healthcare systems.

Contribution

It provides the first empirical, representative analysis of UK cybersecurity incident reports under NIS Regulations, highlighting their limitations and the nature of reported attacks.

Findings

29% of NIS reports concern cybersecurity incidents

89 high-significance incidents captured by NCSC in 2024

100% of healthcare system attacks reported under NIS were ransomware

Abstract

Existing cybersecurity literature lacks a source of empirical, representative data as to the true nature of cyberattacks on Critical National Infrastructure. We have obtained UK-wide data on incidents reported under the Network and Information Systems (NIS) Regulations in 2024 causing "a significant impact on the continuity" of essential services and comparator data from intelligence agencies. We find that 29% of NIS reports already concern cybersecurity incidents. As the UK Government seeks to extend cybersecurity reporting, we find the NIS Regulations are limited in their effectiveness; whilst our requests revealed 30 cybersecurity incidents reported under the NIS regulations, there were 89 incidents classified as "highly significant and significant" captured by the National Cyber Security Centre in the 2024 reporting year. Whereas 36% of Cybersecurity and Infrastructure Security Agency reported attacks concerned espionage, from NIS data we find 100% NIS-reportable cyberattacks concerning healthcare systems in England in 2024 were ransomware.