Security News > 2021 > July > Tech biz must tell us about more security breaches, says UK.gov as it ponders lowering report thresholds

The British government wants to make Amazon, Google, and other digital service providers report cybersecurity breaches to the Information Commissioner, according to newly published plans.

Due to Brexit, the government can amend the UK's Network and Information Security Regulations to let the Information Commissioner's Office, the local data watchdog, dictate what kind of cybersecurity breaches must be reported to it.

"The proposal is to revoke Article 4 from the UK retained version of Commission Implementing Regulation 151/2018 and allow the Information Commissioner's Office, as the Competent Authority for digital service providers, to set the thresholds at a more appropriate level through guidance," said the government on its consultation page.

UK government is keen to make the world's tech companies bend the knee to the ICO by lowering mandatory incident reporting thresholds under the NIS regs.

"Backing up government assertions that current thresholds are too high, the ICO confirmed to The Register that just one incident was reported to it under NIS between 2018 and 2020 - and even that one fell below the threshold. A spokeswoman told us:"The ICO has been engaging with the Department of Culture, Media and Sport on this.

The full draft amendments proposed by the government can be read here as a PDF. Page 9 onwards contains the new, lowered thresholds, which appear to be worded so they would also apply to DNS operators outside the UK if they serve more than a certain number of domains registered to UK postal addresses.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/07/27/uk_security_breach_reporting_law_thresholds/