To address the ongoing threat of cyber attacks, the European Union (EU) has put in place an updated Network and Information Systems Directive (NIS2). This is a comprehensive legal framework intended to bolster cyber security by imposing obligations on organizations to manage cyber risks, report incidents, and cooperate with authorities to smoothen incident response.
The directive applies to certain critical sectors such as energy, transportation, and health and requires companies to proactively protect their systems from threats like malware and ransomware, as well as report certain types of incidents to relevant authorities.
The twin directives of NIS2 and the Critical Entities Resilience (CER), which replaced the European Critical Infrastructure Directive of 2008, came into force in January 2023. Member states were given until 17 October 2024 to comply, with all of the law’s measures now applying to business operations.
Both aim to improve the cybersecurity of businesses throughout the region, by setting strict standards for network and IT security. While CER is centered on critical entities, NIS2 compels organizations to adopt risk management strategies that encompass the widest possible range of cyberattacks.
In 2022, the UK updated its own NIS regulations as the EU’s updated law does not apply within the region.
Its NIS regulations carry stringent requirements for managed service providers (MSPs), particularly around supply chain security, remote access, incident response planning, and staff training. MSPs must also report any incidents to the National Cyber Security Centre (NCSC).
What are the key provisions in the NIS2 Directive?
The NIS2 Directive is a set of regulations that aims to raise cyber security standards of network and information systems throughout the EU. It requires companies operating in essential sectors, such as energy, transport, banking, financial services, healthcare, drinking water supply, digital infrastructure, public administration, chemicals, food supply and distribution, and space, to bolster network security, incident management, business continuity, and compliance.
NIS2 sets out clear standards for companies in all of these sectors, requiring leaders to conduct plans for cyber risk assessments, draw up plans for incident response strategies, report major cybersecurity incidents within 24 hours, and ensure staff are adequately trained to respond to cyber incidents.
It also draws up plans for the Cooperation Group, which will work with the EU Commission and European Union Agency for Cybersecurity (ENISA) and regional cybersecurity agencies to share information on cyber incidents and best practices. This will be established on 17 January 2025.
There are also requirements for incident reporting, voluntary certification schemes, and supervision and enforcement by national authorities. The directive, finally, includes risk management through regular risk assessments and implementation of appropriate security measures to mitigate identified threats. These measures may include incident management processes, business continuity plans, and compliance with relevant regulations. Companies must also monitor and evaluate the effectiveness of these measures on an ongoing basis.
To which organizations does NIS2 apply?
NIS2 applies to all medium or large-sized important entities and operators of essential services (OES) and digital service providers (DSPs) operating within the EU. These are defined as those organizations with 250 employees or more, an annual turnover of €50 million ($54 million) or more, or alternatively a balance sheet of €43 million ($46 million) or more.
An OES is a company or organization that provides a service essential for maintaining public life or economic and societal activities. Organizations in sectors such as electricity, water, health, transport, and digital infrastructure fall under this definition.
In the previous iteration of NIS, EU member states could individually identify OES according to their own definitions. NIS2’s size-based approach standardizes this approach to prevent inconsistencies across different member states. Governments and entities operating in defense, judiciary, and law enforcement are exempt from NIS2, though the law does apply to central and regional administrations due to growing cyberattacks on the public sector.
NIS2 vs UK NIS: What’s the difference?
Although both NIS2 and UK NIS intend to improve the cybersecurity posture of businesses in their respective regions, they differ in several crucial aspects.
For a start, the regulations set out deviating reporting processes, fines, oversight, and certification.
There are also specific requirements for MSPs in the UK legislation. UK-based CIOs and IT managers must also understand the requirements and implications of both sets of regulations, and ensure overall compliance if they fall under the jurisdiction of both.
NIS2 vs UK NIS: Incident reporting
Both the UK's NIS regulations and NIS2 require OES and DSPs to report certain types of incidents to the relevant authorities.
The EU directive does encourage member states to establish mechanisms for the exchange of information between OES and DSPs, including the exchange of information on specific incidents. This information exchange can be done on a voluntary basis, and it's up to each member state to decide how to implement it.
The UK regulations define a cybersecurity incident as an event that has a significant impact on the continuity of the essential services they provide, the security of the network and information systems they use to provide those services, or the personal data they process.
NIS2 vs UK NIS: Certification
NIS2 allows member states to adopt voluntary certification schemes for OES and DSPs. This means that the certification process is not mandatory, and companies may choose to be certified under the voluntary scheme to demonstrate their credentials.
The UK NIS regulations require OES and DSPs to be certified by a relevant certifying body, while the EU NIS directive allows member states to adopt voluntary certification schemes for OES and DSPs.
Certification requirements under the UK NIS regulations mean that OES and DSPs must be certified by a relevant certifying body to demonstrate that they have taken appropriate steps to manage risks. This certification process is mandatory and ensures that companies operating in these sectors are held to a high standard of cybersecurity.
NIS2 vs UK NIS: Supervision and enforcement
The UK NIS regulations have designated the NCSC as the organization with the power to supervise and enforce compliance, while the EU’s directive grants member states the remit to delegate supervision and enforcement to regulators within each country, depending on their preference.
The level of fines also differs. NIS2 sets out varying fines according to whether an entity is classed as important or essential – noncompliance on the part of the former can be met with a fine of €7 million ($7.59 million) or 1.4% of global annual turnover, while the latter can face fines of €10 million ($10.84 million) or 2% of global annual turnover. Precedence is given to whichever monetary amount is higher.
The UK’s NIs regulation, meanwhile, can impose a fine of up to £17 million, or 4% of global turnover, for non-compliance, while the EU’s version allows member states to impose non-specific administrative fines. The penalties are expected to be much higher in the UK than across the continent.
NIS2 vs UK NIS: Demands for MSPs
There are stricter rules and requirements for MSPs under UK NIS than NIS2, which means UK MSPs will have to comply with stricter security measures.
Examples include implementing strong access controls, such as multi-factor authentication (MFA), to prevent unauthorised access to systems and networks; regularly testing and assessing the effectiveness of security measures to identify vulnerabilities and address them promptly; and maintaining comprehensive records of security incidents, including details of the incident and the steps taken to address it
