Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Spotlight on NIS and NIS2

Regulating the cyber security of critical infrastructure across the EU & the UK

06 maart 2023

Updates on NIS and NIS2

  • The NIS2 Directive was published on 27 December 2022 and will enter into force on 16 January 2023.
  • EU member states have until 17 October 2024 to adopt and publish the provisions necessary to comply with the Directive.

The European Council formally adopted NIS2, replacing the current directive on the security of network and information systems (NIS).

In the same week, the UK Government confirmed that it is moving forward with plans to update the NIS regulations as they apply to the UK.

While the two regimes have been aligned since the UK’s exit from the EU, these recent announcements confirm that there will be differences going forward in the way that the cyber security of critical infrastructure is regulated.

Here, Mick Flitcroft, our Global Lead for Government Compliance Services, explores the similarities and differences between the UK and EU and what they may mean in practice, drawing from his experience supporting organisations across the economy comply with the NIS framework.

Which new sectors will be regulated?

In both the UK and the EU, managed service providers such as IT outsourcing service providers will be brought into scope of the regulations.

Looking only at the UK, the Government will have the power to bring other sectors into scope more easily, having recently consulted on plans to require flexible energy providers and data centre operators to comply with NIS.

In addition, recognising the systemic risks posed by the reliance on key third party suppliers to the UK’s critical national infrastructure, the Government will also have the power to designate certain suppliers or services on which existing essential and digital services depend as critical, meaning they too would fall under the remit of the NIS regulations. This comes as the financial services sector, which is not regulated under NIS in the UK, faces additional regulatory requirements in the form of PS2/21 and the Financial Services and Markets Bill aimed at managing the risks associated with supplier failure, service deterioration and concentration risk.

NCC Group hopes to see the two regulatory agendas aligned and will be engaging with competent authorities to advocate a 'Resilience by Design' approach.

In the EU, there will be a significant widening of the scope, with organisations in several additional sectors deemed “essential” including space, waste water, public administrations (with some exceptions), data centre service providers, trust service providers, content delivery networks, and public electronic communications networks and services.

Other critical sectors, such as postal services, chemicals and manufacturing of key products, will also have to comply with the regulations (known as “important” entities), but will be subject to less regulatory oversight than the entities that are classed as “essential”.

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope.

In some of the affected sectors, such as public electronic communications, the directive will apply regardless of size, while Member States will also have the power to designate some organisations as essential or important entities even if they fall under the size cap rule.

What additional requirements will organisations have to comply with?

Unlike the previous iteration of the NIS directive, the EU’s NIS2 seeks to harmonise requirements across member states by setting out minimum rules for regulatory frameworks and establishing clearer and stronger minimum cybersecurity measures that must be implemented.

These include:

  • risk analysis and information system security policies;
  • incident handling;
  • business continuity and crisis management;
  • supply chain security;
  • secure network and systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  • policies and procedures to assess effectiveness of measures;
  • basic computer hygiene practices and cybersecurity training;
  • policies and procedures regarding use of cryptography / encryption;
  • HR security; and,
  • The use of MFA, secured comms and secured emergency comms.

In the EU, regulated entities must also include supply chain in their security measures. They must consider specific suppliers’ vulnerabilities and cybersecurity practices, and are “encouraged” to incorporate cybersecurity measures into contractual arrangements with their direct supply chains.

Meanwhile, in the UK, the cybersecurity measures regulated entities will have to implement will continue to be set by the competent authorities responsible for regulating each sector. However, the UK Government has stated that it will promote “outcomes focused tools such as the Cyber Assessment Framework” which it argues “provides a measure of flexibility for companies.”

What about incident reporting?

Both the UK and EU are updating their requirements so that a greater number of incidents are reported by organisations.

Under the EU’s plans, organisations must notify their relevant competent authority, national Computer Security Incident Response Team (CSIRT), and in some cases, their customers “of any incident having a significant impact on the provision of their services”. Incidents shall be considered “significant” if it has caused or is capable of causing severe operational disruption of the service or financial losses; or the incident has affected or is capable of causing considerable losses to others. Organisations will be required to provide an “early warning” within 24 hours after becoming aware of an event, with a full “incident notification” required within 72 hours and a “final report” to be submitted no later than one month after the incident notification.

Meanwhile, in the UK, the definition of incidents is being expanded to include “incidents that do not actually affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entities in question and the essential services they provide.” The final legal definition is yet to be determined, with exact thresholds to be set for each sector by competent authorities. It is likely that the 72-hour reporting deadline will remain.

What are the consequences for non-compliance?

In the UK, there are fines of up to £17 million for non-compliance, while, in the EU, “essential” entities face fines of up to €10 million or 2% of their total turnover worldwide.

What should organisations be doing to prepare?

Understand how the new regimes will affect them: It is important that organisations understand if they will be captured under the expanded sectoral remits of the EU and UK’s evolving regulations. In some cases, a sector may fall under one regime, but not the other (for now). It will also be important to understand whether, at an EU-level, an organisation or service will be deemed “essential” or “important” as the implications differ for each.

Adopt a proactive approach to security: Organisations should carry out a thorough gap analysis exercise and ensure that they have plans in place to address any issues and remain compliant.

Have full visibility over systems: A clear understanding of security implications for all system assets, plus those provided or managed by third parties, is essential.

Clear incident handling: Organisations must ensure that they have proper incident handling in place with prepared materials, processes and procedures to follow in the event of incident.

What happens next?

Following the publication of the EU NIS2 directive in the Official Journal of the European Union, which is expected to take place in the coming days, the directive will enter into force 20 days later. Member states will then have 21 months from which to incorporate the provisions into their national law.

The timelines for implementation in the UK are less clear cut, with the UK Government committing to bring forward the necessary legislation “when parliamentary time allows”. Given current Government priorities, we would expect the new regime to be in place no earlier than 2024.

Contact our NIS/NIS2 experts

If you need help getting to grips with the new regulations then don't hesitate to speak to one of our team today.