NIS 2 is Coming: Here’s What UK Organisations Need to Know
Table Of Contents:
The UK’s Network & Information Systems (NIS) Regulations came into force in May 2018, following the EU’s 2016 NIS Directive. Due to the timing of their introduction, most media outlets focused on the bigger story of the day: the arrival of the new GDPR. But in seeking to improve baseline security among “operators of essential services” (OES) in critical infrastructure sectors, the NIS Regulations were no less important.
UK NIS sought to mandate the development of a national incident management apparatus, improve information sharing among member states and enhance risk management among the OES community. But time is the enemy of cybersecurity planners, and the EU recently approved a new version: the NIS2 Directive. It will apply to all UK-based OES organisations which operate in the EU.
However, now the UK has left the bloc; its regulatory regime will diverge from NIS 2. Not all of it is fully fleshed out yet, but let’s see what the implications are for in-scope organisations as it stands.
Raising the bar for EU-wide cybersecurity
As Deloitte explains, NIS 2 was designed with three goals in mind:
- Enhance cyber resilience in a growing number of OES sectors across the EU
- Reduce inconsistencies in levels of resilience in sectors already covered by NIS
- Further improve info-sharing and set new rules for incident response, thereby enhancing trust between competent authorities (regulators)
More specifically, it includes several new elements:
A wider scope: NIS 2 covers organisations in new sectors like telecoms, social media, wastewater and food and will apply to all medium and large-sized organisations in the sectors deemed providers of “essential” or “important” services. Some public sector organisations will also be covered.
Heavier fines: Regulators will be able to levy penalties for serious non-compliance of up to 2% of annual turnover, or €10m (£8.6m), whichever is higher.
Baseline security requirements: NIS 2 introduces a minimum set of measures to which all organisations must adhere. These include:
- Risk management and information security policies
- Incident management for prevention, detection and response to cyber incidents
- Business continuity and crisis management
- Supply chain security
- Testing and auditing of security measures
- Strong encryption
Supply chain security: Organisations will be responsible for managing cybersecurity risk in their supply chains and supervising supplier security posture.
Director accountability: Senior management personnel will be held responsible for the maturity of their security function. They must receive cybersecurity training and conduct regular risk assessments accordingly.
Incident reporting: Any incident with a potentially severe impact should be reported to the regulator within 24 hours of discovery. A full notification report must be sent after 72 hours, before a final report one month after the initial incident.
What’s new for the UK?
In its response to a call for views on proposals to improve UK cyber resilience, the government was pretty unequivocal about NIS 2, saying: “Given that the UK is no longer bound by EU legislation and will not be implementing NIS 2 there will be differences between the EU and the UK. The UK’s legislation is designed for the UK economy and to maximise benefits to the UK.”
So what does this mean in practice? Here are the main areas of divergence:
Managed service providers (MSPs): The UK will expand the type of in-scope digital service providers (currently limited to search engines, online marketplaces and cloud providers) to MSPs. This includes providers that are:
- B2B
- Focused on IT services
- Reliant on network and information systems
- Providing regular management and support, active administration and/or monitoring of IT systems, infrastructure, network and/or security
This contrasts NIS 2, which adds several new sectors to the list covered by the regulation, including telecoms, social media and public administration. It is also more prescriptive about the organisation’s size to ensure only mid and large-sized ones are covered.
Incident notification: The UK is proposing a broader range of incidents be reported to the regulator, including those that pose a high risk to or significantly impact a service, even if they don’t disrupt it.
NIS 2 also contains more demanding requirements for reporting of “significant incidents” – that is, those which have caused, or are capable of generating, significant operational disruption or financial losses to the affected entity or others. It also mandates initial reporting be made within 24 hours.
Exempt organisations: Datacentres not regulated as cloud providers will be exempt, as are software developers and small/micro businesses. However, the regulator, the ICO, can designate specific small/micro digital service providers to be in-scope if they’re deemed essential to UK critical services or national security.
Digital service providers: The ICO is set to take a more risk-based approach to regulating digital services based on how critical providers are to providing essential services.
NIS 2 takes a firmer line, with potentially high fines for non-compliance by OES providers.
Future-proofing NIS: The UK government reserves the right to amend the regulations in the future after consulting the public, potentially by adding new sectors deemed critical to the economy.
What you need to do
UK organisations must first decide which applies to them: NIS 2, the UK’s amended NIS Regulations or both, according to Marija Nonkovic, a solicitor at Burges Salmon.
“Although there are similarities between the two regimes, the differences will result in a certain level of divergence, which will require those organisations operating in the EU and UK to carefully assess their cybersecurity compliance obligations,” she explains.
“Businesses should take the time to allocate appropriate resources early on to ensure appropriate security measures are in place to protect against cyber threats, as well as maintaining resilience in light of a cyber-attack to avoid incurring the costs and reputational damage that can result from cybersecurity incidents.”
The challenge will be timing. NIS 2 came into force on 16 January 2023 and must be implemented by member states by 17 October 2024. However, a new NIS Regulation regime is unlikely to be in place before 2024, according to legal experts.
“A difference in the timing of implementation is likely to increase costs to some extent, as businesses active in both the UK and the EU will need to allocate time and resources to compliance exercises on two occasions rather than one,” argues law firm Travers Smith. It remains to be seen whether UK divergence will actually minimise the regulatory burden for domestic businesses, as the government hopes.
So what happens next?
As EY advises, companies in scope for NIS 2 must manage their information security risks. Implementing an information security management system (ISMS) is the best way to do that. This will help to streamline the process for complying with standards like ISO 27001 and ISO 22301, which in turn can provide a good framework for complying with NIS 2.
For those laser-focused on the NIS Regulations, a similar approach would also lay the groundwork for compliance. For further information, the National Cyber Security Centre (NCSC), which acts as the computer security incident response team (CSIRT) and single point of contact (SPOC) for NIS incidents, has also released a handy guide. It’s Cyber Assessment Framework (CAF) Collection is another helpful resource.
Set Your Organisation Up for Success
If you’re looking to achieve compliance with NIS 2 and start your journey to better information and cyber security, we can help.
Download our essential guide to NIS 2, read more and arm yourself with the insight you need to stay ahead of the curve and ensure your organisation is set up for success.
