EU NIS2 security law comes into force this week: What UK organisations need to know
New security and reporting rules apply to providers of ‘essential’ services and ‘important entities’
On 19th October the EU Network and Information Systems (NIS2) Directive comes into force. It affects organisations providing essential or important services to EU countries, broadening the scope of what those terms mean, and requires more stringent cybersecurity and risk assessment measures, and rapid reporting of breaches.
NIS2 aims to enhance the resilience and security of network and information systems across the bloc by expanding the scope of the original NIS Directive of 2016, strengthening obligations, and promoting a more coordinated and harmonised approach to cybersecurity.
NIS2 is a Directive, meaning it does not apply directly to organisations but must first be translated into national law, unlike a Regulation such as GDPR.
What is NIS2?
In 2018 the original Network and Information Systems Directive (NIS1) became law across the EU, including in the UK. It focused on elevating standards of network and IT security in "operators of essential services" (OESs) including energy, transport, banking and health care, and "digital services providers" (DSPs), such as cloud service providers and search engines.
NIS2 expands on the aims of NIS1, broadening its scope, fixing a few loopholes and strengthening its cybersecurity measures.
It also introduces personal liability for senior management, which is "a key shift from NIS1,” according to Jonathan Armstrong, partner at Punter Southall Law.
Expanded scope
NIS2 greatly expands on the scope of its predecessor, covering 15 sectors rather than NIS1's seven. (This article provides a handy summary.) Additions to "essential services" include public administration, wastewater, and space operations, while ten "important entities" are now included, newcomers including postal services, food manufacturing and distribution, social media and chemicals.
Like NIS1, NIS2 applies extraterritorially, applying to any business or organisation that offers services to EU member states, no matter where it is headquartered.
Stronger cybersecurity measures
For important entities and providers of essential services, NIS2 brings new minimum requirements for policies and procedures in four main areas: risk management, corporate accountability, reporting and business continuity.
Security requirements include mandatory assessments of risk, the use of multi-factor authentication, provision of cybersecurity training, business continuity planning, and applying due diligence to supply chains. Organisations are also encouraged to review supply chain contracts and apply risk management measures.
Member states may also step in to "require essential and important entities to use particular certified ICT products, services and processes," or obtain certification with a European cybersecurity scheme under NIS2.
Tight reporting timelines
NIS2 brings in tight reporting timelines. Significant cybersecurity incidents — those causing operational disruption, financial loss and harm to others — must be reported within 24 hours, with a detailed report to follow within 72 hours, and a comprehensive final report within one month.
Penalties for non-compliance
The new Directive introduces a framework of sanctions to be applied across the bloc to make enforcement more effective.
The two main categories of organisation are supervised differently. Providers of essential services can be fined up to €10,000,000 or 2% of their total worldwide annual turnover for non-compliance, while for important entities the maximum figure is €7,000,000 or 1.4% of total worldwide annual turnover, whichever is greater.
Board-level responsibility
In a significant change from NIS1, senior management can now be held personally liable for non-compliance, with authorities empowered to request "temporary prohibition of the exercise of managerial functions by any natural person discharging managerial responsibilities at chief executive officer or legal representative level". Implementation and enforcement of these sanctions is left to individual member states.
Impact on UK organisations
The UK may no longer be part of the EU, but many of the bloc’s rules apply to organisations doing business there.
"Though the UK is no longer bound to implement NIS2 following Brexit, some UK entities with customers in the EU will be subject to the Directive," Armstrong noted.
In addition, the UK is due to update its own cybersecurity legislation in the shape of the Cyber Security and Resilience Bill, which is expected to be introduced to Parliament next year.
While its provisions have yet to be revealed, Armstrong believes the Bill will likely be less rigorous than NIS2. Nevertheless, UK businesses operating in Europe should be prepared for both, he said, adding that "managing compliance with multiple cybersecurity regimes may prove burdensome."
With NIS2 imminent, organisations should assess how it might affect them, and to revise procedures to meet its reporting obligations, "which have tighter deadlines and different regulatory bodies than GDPR." They should also review training, incident response, supplier contracts and technical and organisational security measures.
“The scope and application of NIS2 is complex, with different obligations for various categories of in-scope entities. Organisations should seek specialist advice to ensure they fully understand how NIS2 applies to them,” Armstrong said.
Commenting on the upcoming legislation, Sridhar Iyengar, managing director of Zoho Europe, said: "NIS2 is a welcome roadmap for the future of cybersecurity, putting further guardrails in place to safeguard digital operations amid the fast pace of technology evolution. Cyber threats are becoming increasingly frequent and sophisticated, demanding a proactive approach to cybersecurity that prioritises safety and privacy."
DORA
Financial organisations operating in the EU will also be affected by related legislation, the Digital Operational Resilience Act (DORA), which aims to ensure that banks, insurance, investment, trading firms, credit agencies and others are able to continue operating even in the event of a cyberattack. DORA is scheduled to come into force as a Regulation in January.