What is the NIS2 Directive?
NIS2 is the European Union’s Network and Information Security Directive. It aims to improve the cyber security and resilience of European organisations that contribute to critical national infrastructure, by harmonising requirements across territories.
Areas covered by NIS2 include risk assessments, cryptography, security procedures for employees handling sensitive data and cyber security training. It will also include directives for managing business operations during security incidents, and reporting those incidents.
While this is a European law, many UK businesses will be affected. This is partly because NIS2 puts a greater emphasis on supply chains and data security compared to previous legislation.
When does NIS2 come into force?
In the EU, member states have until 17 October 2024 to integrate NIS2 requirements into law. If you’re a UK business that works with EU partners and you’re affected by the legislation, you should act swiftly to ensure you comply. More on that later.
Give me some more details about the requirements
Topline: companies covered by the rules must harden their cyber security and maintain closer communications with national supervisory authorities.
Some of the main points include:
- Establishing processes for risk analysis and management, information security and cyber security management
- Implementing regular information security training
- Emergency response continuity and recovery plans
- Rapid reporting of incidents to relevant national authorities
You can find the complete NIS2 guidelines here.
How does NIS2 differ from the NIS Directive of 2018?
The NIS (Network and Information Systems) Regulations came into force on 10 May 2018. It was also integrated into UK legislation via the NIS Regulations 2018.
NIS2 is essentially a new and updated iteration of NIS rules. Areas in which it differs from NIS include more stringent requirements related to:
- Supply chain security
- Accountability – managers will bear a greater responsibility to ensure compliance
- Incident reporting – processes will become more streamlined
- Fines – it can impose bigger fines than NIS
One other change, which might seem a semantic one at first glance, is crucial for UK organisations and should be closely scrutinised. NIS2 will change the classification of organisation types. NIS distinguished between ‘operators of essential services’ (OES) and ‘digital service providers’ (DSP). This will be replaced by the categories ‘essential entities’ and ‘important entities.’
More on this in a moment.
Will NIS2 apply in the UK?
Not directly. The UK is no longer in the EU and therefore it is not bound by EU rules. However, indirectly NIS2 is going to have a significant impact.
There are two reasons for this:
1) UK organisations operating in the EU will be bound by NIS2
While NIS2 doesn’t apply to UK organisations operating only within the UK, if you work in the EU you may need to follow the new rules.
For instance, if your work concerns national critical infrastructure, you could be affected. Bear in mind that NIS2 places a particular emphasis on building robust supply chains.
This means that if you are not directly involved in critical infrastructure in Europe, but supply to a business that is, there’s a strong chance you’ll need to show compliance.
2) The UK will update its cyber security laws in response to NIS2
Just as the UK government responded to NIS with new cyber security compliance rules, it’s expected to do the same with NIS2. This is likely to include tighter regulation of managed service and digital providers, widening regulatory requirements for organisations in critical sectors, and a lower threshold for incidence reporting.
Details are yet to be confirmed.
For clarity, we’ll continue this article with specific reference to NIS2 – and not any similar legislation likely to come from the UK government. Therefore, the advice will mainly concern those serving and working in European markets. However, looking forward, we should all closely scrutinise any new government legislation in response to NIS2.
Which kinds of organisation does NIS2 specifically apply to?
Firstly, for the most part, NIS2 is likely to apply only to medium and large organisations with at least 50 employees or more and a turnover of at least €10 million per annum. (These figures will differ according to sector.)
So, if your organisation is small, you may not be affected.
NIS2 will more tightly regulate organisations concerned with critical national infrastructure. As mentioned above, companies covered by NIS2 are classified as ‘essential entities’ and ‘important entities. ‘Essential entities’ are the highest category of importance and are subject to tighter government oversight and bigger sanctions than ‘important entities.’
Sectors covered by NIS2 include:
- Digital services, data centre services and social networking services platforms
- Food
- Manufacturing of critical products such as pharmaceuticals, medical devices and chemicals
- Public providers of electronic communications networks or services
- Postal and courier services
- Public administration
- Waste water and waste management
However, consider this important caveat regarding company size and sectors. Some reports have suggested advice regarding NIS2 from official bodies has been less than clear.
For instance, according to one report, smaller companies have been ‘poorly informed’ by the German government and it was ‘difficult to know for sure whether your business belongs to one of the affected sectors.’
With this in mind, you should seek professional advice if you are not clear on your status.
I have business interests in the EU. Is there any particular area of the EU’s NIS2 Directive I should look at?
Yes. Initially at least take a look at Articles 20 and 21 of Chapter 3. These deal with governance and cyber security risk management measures that UK firms with EU business interests must adopt. This covers everything from managing cyber security incidents to supply chain security.
Is complying going to be a significant outlay for my business?
There is good news for some businesses. If you are ISO 27001-certified you are estimated to be 70% NIS2 compliant already. Where this is the case, you may just need to work with a cyber security partner to conduct a gap analysis and complete any remaining steps required to ensure compliance.
Meanwhile, if you are ISO 27001-certified, have achieved Cyber Essentials Plus and implement a risk management approach, you are likely to be fully compliant with NIS2.
Meanwhile, those organisations that have not taken sufficient cyber security measures to date could struggle. These are the ‘squeezed middle’ – big enough to appear on the NIS2 radar, but not large enough to have dedicated security and risk assessment teams in place.
Measures such as upgrading legacy infrastructure, integrating new technologies, sophisticated monitoring, and staff hiring and training could place a significant burden on organisations ‘playing catch up.’
How can Intersys help me?
Before showcasing our services, some information about our own NIS2 status. In some circumstances, IT and cyber security companies such as Intersys can be considered essential services or operators of essential infrastructure. In other words, the regulations could apply to us.
Intersys is NIS2 compliant. We are an ISO 27001, Cyber Essentials Plus provider with robust, compliance procedures.
Our internal methodologies include:
- Establishing processes for risk analysis and management, information security and cyber security management
- Implementing regular information security training
- Emergency response continuity and recovery plans
- Rapid reporting of incidents to relevant national authorities
As well as following compliance best-practice ourselves, we can provide a cost-effective and efficient way to ensure NIS2 compliance for you too. Intersys can:
- Undertake a gap analysis to assess your current cyber security maturity
- Recommend a roadmap for NIS2, including advice on the infrastructure, systems and training required
- Provide cyber security as a service – an ongoing ‘protect, detect, respond and recover’ service based on the internationally recognised National Institute of Standards and Technology Cyber Security Framework.
As a Microsoft Partner, we can work hard to ensure your NIS2 compliance is undertaken in an efficient and cost-effective way. Fortunately, compliance and data governance are built into the Microsoft platform. This means we can deploy Microsoft 365, as well as other products such as Microsoft Compliance Manager and Microsoft Purview, to meet your NIS2 targets.
What is the outcome of your work likely to be?
Work with Intersys to achieve NIS2 compliance and you will:
- Significantly reduce the risk of any fines or penalties
- Harden your cyber security and reduce the possibility of cyber attacks or breaches
- Strengthen your profile with clients and partners
- Save money, by achieving NIS2 in an efficient and timely way
Can’t I just wait and see what happens?
It might be tempting to ‘see how things pan out’ after the October 2024 deadline. But that’s probably not a good idea. TechRadar reports that 50% of UK businesses have a basic cyber security skills gap.
There simply aren’t enough people to fill roles in this rapidly growing sector. In our view, the need for NIS2 compliance is going to increase demand and put even more pressure on the availability of cyber security skills. There simply won’t be enough professionals to go around. Wait too long and you might pay a high price, for a rushed job, by someone not properly qualified.
How can I find out more?
Take a look at our IT governance and compliance services page to get an overview of our approach.