What is NIS and why is it being changed?

NIS, or "Network and Information Systems," have become critical to everyday business operations, and the UK and EU are currently subject to NIS regimes that require in-scope organisations to adopt appropriate security measures and report on cyber threats. However, given the current geopolitical climate and surge in cyber attacks, a more stringent approach to cybersecurity is needed, prompting the EU and UK to make changes to their respective NIS legislation. The purpose of these regimes is to boost the level of security of networks and information systems for the provision of essential services and digital services.

Proposed scope changes 

The scope of both regimes will be extended to include managed service providers, although the scope increases of the EU's NIS2 is more far-reaching than that of the UK's. The NIS2 will replace the existing categories of "operators of essential services" and "digital service providers" with "essential entities" and "important entities", significantly widening the scope of the standard to include all medium to large organisations operating within the following sectors:

• "Essential entities": energy; transport; banking; financial markets infrastructure; health; drinking water and wastewater; digital infrastructure; ICT service management (inclusive of managed service providers); public administration; space; and
• "Important entities": postal and courier services; waste management; the manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers, and research.

Following Brexit, the UK is no longer required to follow the NIS2 Directive and there are no plans to do so. Instead, the UK Government has proposed revisions to the existing NIS legislation, the most notable of which is to include managed IT service providers. However, the UK Government plans to give itself the power to bring other sectors and organisations into scope, so this may be subject to change.

Security measure requirements

The new EU standard, NIS2, sets the precedent for more rigorous requirements for assessing, reporting on, and mitigating cyber risk. In-scope organisations will have to comply with a uniform set of computer security rules covering everything from basic computer hygiene and cybersecurity training to vulnerability handling and disclosure, to address the wide discrepancy that exists among EU member states’ risk management and security reporting rules. Management bodies will be held liable for approving cyber security measures and supervising their implementation. 

As for the UK, a more flexible approach is being taken with competent authorities retaining the ability to set the precedent for cyber security measures that regulated organisations must implement. Outcome focused tools such as the Cyber Assessment Framework will be used to determine the extent to which cyber risks to essential functions are being managed by the organisation responsible.

Supervision and enforcement of the NIS regimes

Both regimes propose a two-tiered approach to rule enforcement. Different rules for cyber security breaches apply to "essential entities" and "important entities", with essential entities subject to higher fines of €10m or 2% of the total global turnover depending on which is higher, as well as proactive oversight activities such as strict audits. Conversely, important entities will be subject to lower fines of up to €7m or, if higher, 1.4% of the total annual global turnover and will only be investigated on a reactive basis. 

Similarly, UK entities providing more critical digital services will be subject to a proactive supervisory regime, while the rest will be subject to a reactive one. It is unknown whether the UK will reform the penalties for non-compliance from the current £17 million limit. 

Does divergence spell trouble for entities operating within the UK and EU?

There is some concern over the divergence between the UK and the EU legislation given that cyber threats are not hindered by international borders in a highly interconnected world. The UK's flexibility may weaken the protective power of the NIS regulations by increasing the overall level of cyber risk posed. Nonetheless, organisations deemed to be essential and important entities with customers across the UK and the EU will have to comply with both NIS2 and the revised NIS regime.

COOLSPIRiT can help you prepare for these upcoming changes

To find out more, contact our expert team today at hello@coolspirit.co.uk or call 01246 454222.

For more information about the NIS2 Directive, click the link to the European Parliament's briefing here.