NIS 2: What The Proposed Changes Mean For Your Business

In December 2022, the European Union confirmed they are moving ahead with plans to expand the scope of the Network and Information System (NIS) Directive to include outsourcers and managed service providers.

A series of reforms and updates to the Network Information Systems (NIS) Directive has been pushed forward to further strengthen cyber resilience. The newly named NIS 2 will bring providers of outsourced IT and managed service providers (MSPs) within the scope of the rules to better protect vital supply chains and critical national services from cyberattacks following significant disruption over the last few years.

In a press release, the EU Council said it “will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors covered by the directive, such as energy, transport, health and digital infrastructure.”

For non-compliance with NIS regulations, companies providing essential services such as energy, healthcare, transport, or water may be fined up to £17 million in the UK and €10 million or 2% of worldwide turnover in the EU.

What is the Network Information Systems Directive (NIS), and Why Has It Been Updated? 

The EU launched the Network and Information Systems (NIS) Directive in 2016 following increased cyberattack concerns. In addition to strengthening member states’ cybersecurity capabilities, the directive hoped to increase collaboration on cybersecurity between member states. It also encouraged states to supervise cybersecurity across their Critical National Infrastructure (CNI), such as energy, transport, and healthcare.

Seven years on from the directive being launched, the cyber threat landscape has changed significantly, and the directive doesn’t quite meet the needs of the evolving 2023 cyber security risk outlook. Cyberattacks and data breaches have increased exponentially, specifically as people become more reliant on digital technology. In addition, the increased attacks on CNI, as seen in the SolarWinds attack, gaps in the original NIS legislation, and inconsistencies in how member states have implemented NIS demonstrate the limitations of the previous model and the need for a more comprehensive replacement.

What Are The Core Requirements Of The NIS 2 Directive?

NIS 2 will address the issues with the previous NIS legislation and tighten the rules. Most importantly, this concerns the inconsistent way the original NIS Directive was implemented, as this complicated collaboration between countries and undermined the overall purpose of ensuring the effectiveness of EU cybersecurity.

NIS 2 will require organisations to ensure the following measures are in place to manage cybersecurity risks:

Information Security Policy

A critical part of cybersecurity is assessing your risk level. NIS 2 will require companies to evaluate the potential impact of an attack on their most vital assets and be alert to potential network vulnerabilities or news of other industry members being attacked. They will also need to take a proactive rather than reactive approach to risk management by introducing strong information security policies to ensure systematic and thorough risk analysis.

Incident Prevention, Detection, and Response

NIS 2 requires organisations to have plans and backup plans, run drills and train all relevant parties. Once an organisation has identified their most significant vulnerabilities, the updated directive requires them to implement clear procedures to prevent attacks and agree on methods to detect potential incidents. This should result in an incident response plan with a transparent chain of command for implementation.

Business Continuity and Crisis Management

The updated NIS 2 intends to ensure that a business can continue its operations in the event of a cyberattack. Organisations must have a verifiable plan for how the company will react to an attack and how it can recover from it as quickly as possible, minimising disruption. As a result, NIS 2 includes a focus on cloud backup solutions.

Supply Chain Security

Supply chain security has been under the microscope globally for some time. NIS 2 doubles down on this and requires organisations to consider the vulnerabilities of each of their suppliers and service providers and their cybersecurity practices, including data storage providers. The directive ensures that organisations clearly understand the risks, maintain a close relationship with suppliers, and continually update security to guarantee the highest possible protections. 

Vulnerability Disclosure

NIS 2 will require more transparent vulnerability disclosure and management. Organisations must provide ways for the public to report any vulnerabilities and ensure the relevant department acts upon this information. If an organisation identifies a vulnerability within their network, the updated directive requires them to disclose it. Disclosure of such vulnerabilities will support the fight against cybercrime and ensure they are not exploited elsewhere.

NIS 2 will also impose updated approaches to:

Incident Reporting

Under the updated directive, companies must submit an initial report within 24 hours of becoming aware of any “significant” incident, a full incident notification within 72 hours and a final report within one month to any relevant competent authority, Computer Security Incident Response Team (CSIRT), and sometimes, to their customers.

A “significant” incident is any incident that has caused or is capable of causing severe operational disruption of the service or financial losses or if the incident has affected or is capable of causing considerable losses to others.

Collaboration

The first NIS directive failed because it did not consider the different ways individual countries operated. Therefore NIS 2 will:

• Encourage more data sharing between authorities
• Require authorities to participate in incident response at the EU level rather than national
• Establish an EU-Cyber Crisis Liaison Organisation Network (EU CyCLONe), a central body to coordinate and manage responses to EU-wide cyber incidents

By centralising cybersecurity controls at the EU level and mandating that everyone adheres to the same cybersecurity standards, NIS 2 aims to simplify a previously under-coordinated system. This should facilitate collaborative data sharing and more efficient solutions to cyber incidents as they occur.

Who Needs To Comply With NIS 2?

NIS 2 will apply to any organisation with more than 50 employees whose annual turnover exceeds €10 million and any organisation previously included in the original NIS Directive.  

The updated directive will also increase its scope to include the following new industries:

• Electronic communications
• Digital services
• Space
• Waste management
• Food
• Critical product manufacturing (i.e. medicine)
• Postal services
• Public administration

Industries included in the original directive will remain within the remit of the updated NIS 2 directive. Some smaller organisations, critical to a member state’s functioning, will also be included in the NIS 2 remit due to the potential problems that could arise if a cyberattack hit them.

Does NIS 2 Apply To UK Businesses?

The UK government have confirmed that they will move forward with plans to update the NIS regulations as they apply to the UK, extending the regulation to include all digital managed service providers (MSPs).

As part of this planned UK update, there will be alignment with NIS 2 in many areas, particularly where it applies to managed service suppliers, IT outsourcing, and core requirements such as incident reporting, supply chain security and business continuity.

The UK update “will be made as soon as parliamentary time allows” and is part of the government’s £2.6bn ($3.2bn) National Cyber Strategy. So, whilst the UK changes may not come into effect as soon as 2024, there are no guarantees, and companies should be well-prepared rather than caught short later down the line.

What Are the Implications of Not Complying With NIS 2? 

NIS 2 comes with much stricter enforcement requirements than its predecessor. Penalties for nonconformity range from being security audited and ordered to follow set recommendations to fines of €10 million or 2% of the organisation’s total worldwide turnover – whichever of these numbers are higher.

Notably, these fines are the same as those imposed for GDPR violations, and NIS 2 should be understood similarly. The NIS 2 initiative represents a significant leap in cybersecurity and should be treated as seriously as the huge sea change GDPR drove for data protection.

A Standards-Based Approach to NIS 2

For organisations looking to achieve compliance with NIS 2, certification against ISO 27001 for information security could be a powerful first step.

The NIS regulations themselves mention that any steps companies take to comply should consider “compliance with international standards,” whilst the technical guidelines issued by the European Union Agency for Cybersecurity (ENISA) map each security objective to several best practice standards, including ISO 27001. 

An ISO 27001- compliant information management system (ISMS) enables organisations to reduce their risk and exposure to security threats by identifying the relevant policies they need to document, the technologies to protect themselves and the staff training to avoid mistakes. They also mandate that organisations conduct annual risk assessments, which helps them stay ahead of the ever-changing risk landscape.

ISO 27001 will help organisations meet NIS 2 requirements whilst also achieving independently audited certification. This provides evidence to suppliers, stakeholders and regulators that you have taken the “appropriate and proportionate” technical and organisational measures required and demonstrates a competitive edge within the marketplace.

Organisations looking to take it a step further could consider adding ISO 22301 for business continuity management. ISO 22301 is designed to help you implement, maintain, and continuously improve your approach to business continuity. Whilst some aspects of ISO 27001 include business continuity management (BCM), it doesn’t define a process for BCM implementation. That’s where the complementary standard ISO 22301 comes in. Certification against this standard would further demonstrate compliance with NIS 2. 

27001 and ISO 22301 also work together well, creating scope for you to develop an integrated management system comprising both an ISMS and a BCMS. This approach will also help you develop strong cyber resilience.

NIS 2 Conclusions

Following the publication of the EU NIS 2 directive in the Official Journal of the European Union, the directive came into force on the 20th Dec 2022. Member states have 21 months to incorporate the provisions into their national law.

The timelines for implementation in the UK are less clear cut, with the UK Government committing to bring forward the necessary legislation “when parliamentary time allows”. Given current Government priorities, we expect the new regime to be in place no earlier than 2024.

Set Your Organisation Up for Success Today With ISO 27001

If you’re looking to achieve compliance with NIS 2 and start your journey to better information and cyber security, we can help. 

Download our essential guide to read more and arm yourself with the insight you need to stay ahead of the curve and ensure your organisation is set up for success.

Download

Resources

1. ENISA – https://www.consilium.europa.eu/en/press/press-releases/2022/11/28/eu-decides-to-strengthen-cybersecurity-and-resilience-across-the-union-council-adopts-new-legislation/
2. GOV.uk – https://www.gov.uk/government/publications/national-cyber-strategy-2022
3. NCSC – https://www.ncsc.gov.uk/collection/caf/nis-introduction