I think this is an overly cynical read on the whole thing, at least after skimming the main points from the bill.
A lot of it is about designating critical suppliers + providers and their security obligations.
Central government would typically be a customer, that uses other suppliers and providers to achieve its goals, not a supplier or a provider itself.
So in that sense it doesn't seem so strange to see it omitted, or at least for first set of legislation etc.? Get the first party suppliers in shape first, then legislate the net result of government function using those suppliers etc.
What you're describing would see the government fall outside the purview of the law naturally, without the need for an exemption. This is a true case of an exception that proves the rule — the fact that they made the exemption is itself proof that they would've been otherwise subject to the law.
This is a wrong assumption, it's not that they aren't customers as they'll deal with hundreds of vendors/partners and will benefit from these changes regardless but national cyber & supporting IT agencies (including the UK) are often providers themselves to both other government agencies and private organizations in the country.
This can be anything from running their SOC functions to specialized consulting services to intelligence sharing so the bill is definitely relevant and the exclusion of the govt. doesn't seem to serve a purpose other than saving the budget to implement/maintain their own rules.
So there are legitimate reasons for doing this, such as avoiding having to write reports and request authorizations from oneself, not having to disclose certain sensitive information, etc.
The right way to do this is to draft a framework law and a few decrees along the lines of “administrations XXX and YYY will apply NIS2 with the following exceptions and adaptations ....”
This avoids creating overly broad exemptions, ensuring that there is a reference framework, and preventing each administration from developing its own system.
This is very common in the arms and nuclear sectors, where many civil norms and standards clearly state “not applicable to nuclear” and the nuclear standard states “apply civil standard XXX, with the following specific provisions, the competent authority is the ONR.”
Declaring an overly broad exemption from the outset is not the right way to go about it.
Why is the UK so authoritarian on cyber security? I feel like they're consistently on HN with this type of "rules for thee, not for me" attitude regarding computer law.
This article is about the Cyber Security and Resilience Bill, which aims to increase the security of critical assets, and to strengthen breach reporting requirements.
It's puzzling to hear those steps described as "authoritarian." What makes you feel that way?
The UK is in a strange position, where it must have regulations that are fairly similar to those of the European Union in order to benefit from cross-recognition and not hinder trade with its main partner. In this case, NIS2.
But at the same time, they don't want to admit it and are rewriting these standards in a very specific way so that only British engineering firms and consultants can draft regulatory documents or ensure compliance.
It ensures a monopoly for these engineering firms and consultants.
Brit here. UK Government's position "we will hold ourselves to equivalent standards via the Cyber Action Plan, just without legal obligations" -is institutionally equivalent to "trust the PDF." Fast forward to the non-repudiable era, please.
Readit News
A lot of it is about designating critical suppliers + providers and their security obligations.
Central government would typically be a customer, that uses other suppliers and providers to achieve its goals, not a supplier or a provider itself.
So in that sense it doesn't seem so strange to see it omitted, or at least for first set of legislation etc.? Get the first party suppliers in shape first, then legislate the net result of government function using those suppliers etc.
This is a wrong assumption, it's not that they aren't customers as they'll deal with hundreds of vendors/partners and will benefit from these changes regardless but national cyber & supporting IT agencies (including the UK) are often providers themselves to both other government agencies and private organizations in the country.
This can be anything from running their SOC functions to specialized consulting services to intelligence sharing so the bill is definitely relevant and the exclusion of the govt. doesn't seem to serve a purpose other than saving the budget to implement/maintain their own rules.
This matches the article's point that the UK CSR bill may be a first step that helps to phase in bespoke legislation to improve UK national security.
For me this is professional because my work involves UK software engineering for medical information.
Coordinated vulnerability disclosure: https://github.com/joelparkerhenderson/coordinated-vulnerabi...
The right way to do this is to draft a framework law and a few decrees along the lines of “administrations XXX and YYY will apply NIS2 with the following exceptions and adaptations ....”
This avoids creating overly broad exemptions, ensuring that there is a reference framework, and preventing each administration from developing its own system.
This is very common in the arms and nuclear sectors, where many civil norms and standards clearly state “not applicable to nuclear” and the nuclear standard states “apply civil standard XXX, with the following specific provisions, the competent authority is the ONR.”
Declaring an overly broad exemption from the outset is not the right way to go about it.
src: worked construction in state data centers
¿What asbestos, qué?
It's puzzling to hear those steps described as "authoritarian." What makes you feel that way?
My money’s on Twitter being the source.
But at the same time, they don't want to admit it and are rewriting these standards in a very specific way so that only British engineering firms and consultants can draft regulatory documents or ensure compliance.
It ensures a monopoly for these engineering firms and consultants.
Dead Comment
Starmer is indeed very unpopular, but “least popular ever” is not a claim which even has an agreed-upon measure.
Remember Liz Truss lasted lasted less time in office than it took for a lettuce to rot.
Dead Comment