Key requirements and differences
As cybersecurity threats become more complex, the EU and the UK are strengthening their defenses. The EU’s NIS2 Directive, adopted in January 2023, updates the original NIS Directive to enhance cybersecurity. Post-Brexit, the UK follows its NIS Regulations 2018 but is also adopting NIS2-inspired reforms. This article examines requirements for NIS2 in Europe and the UK. We will also investigate the upcoming changes and the main differences between the two systems.
Understanding NIS2 in the EU
The NIS2 Directive aims to strengthen the cybersecurity and resilience of essential and important entities across the EU. It covers many critical sectors, including large and medium-sized organisations. Here are the main obligations of NIS2:
1. Scope of Application
NIS2 significantly expands the scope of organizations covered by the directive compared to NIS1. It categorizes entities into two groups:
– Essential Entities: These include sectors such as energy, transport, health, water, financial services, and public administration. The focus is on organizations whose disruption would have widespread societal or economic impacts.
– Important Entities: This group encompasses sectors like manufacturing of critical products, postal and courier services, and providers of digital services, including cloud and data centers.
Importantly, medium and large enterprises in these sectors are automatically included, while small and micro-enterprises are generally exempt unless they play a critical role.
2. Cybersecurity Risk Management
Organizations must implement comprehensive cybersecurity risk management measures. These include:
– Policies and Procedures: Developing and maintaining cybersecurity strategies tailored to the organization’s risk profile.
– Technical Measures: Employing tools for network protection, system monitoring, incident detection, and threat mitigation.
– Organizational Measures: Establishing clear roles and responsibilities, training staff, and fostering a culture of cybersecurity awareness.
3. Incident Reporting Requirements
NIS2 mandates stringent incident reporting protocols:
– Initial Notification: Entities must notify national authorities or Computer Security Incident Response Teams (CSIRTs) within 24 hours of identifying a significant cybersecurity incident.
– Follow-Up Reports: A detailed incident report is required within 72 hours, including the cause, impact, and mitigation measures.
4. Supply Chain Security
NIS2 emphasizes the need to address cybersecurity risks in the supply chain and third-party services. This includes vetting suppliers, contractual obligations for cybersecurity, and regular audits.
5. Governance and Accountability
Leadership accountability is a cornerstone of NIS2. Directors and executives must oversee cybersecurity strategies and ensure compliance. Failure to comply can result in significant penalties, including:
– Fines: Up to 2% of global annual turnover or 10 million euros, whichever is higher.
– Reputational Damage: Public disclosure of non-compliance and incidents.
6. Transposition Timeline
EU member states are required to transpose NIS2 into their national laws by October 2024. After this date, the directive will become enforceable across all member states, with penalties for non-compliance.
Cybersecurity Framework in the UK
Following Brexit, the UK is no longer bound by EU directives. Instead, it enforces the NIS Regulations 2018, which were originally derived from NIS1. However, recognizing the evolving cybersecurity landscape, the UK government has proposed reforms to modernize its approach and align with elements of NIS2. Here are the key features of the UK’s framework:
1. Current Scope of NIS Regulations
The UK’s NIS Regulations apply to:
– Operators of essential services (OES), including energy, transport, health, and water.
– Digital service providers (DSPs), such as online marketplaces, search engines, and cloud computing services.
Unlike NIS2, the current UK framework excludes medium-sized entities, focusing primarily on larger organizations. However, this is expected to change with forthcoming reforms.
2. Cybersecurity Measures
Similar to NIS2, UK regulations require organizations to implement risk management practices and technical measures to protect their systems. Key differences include:
– Less Emphasis on Supply Chain Security: While supply chain risks are acknowledged, the requirements are less detailed than those in NIS2.
– Limited Focus on Governance: The accountability of leadership is not as explicitly emphasized as in NIS2, although organizations are encouraged to adopt best practices.
3. Incident Reporting
UK organizations must notify the Information Commissioner’s Office (ICO) and relevant regulators of significant incidents. While the timelines for reporting are similar to NIS2, the UK does not mandate a 24-hour initial notification for all incidents, instead adopting a more flexible approach based on severity.
4. Penalties for Non-Compliance
The UK imposes substantial penalties for non-compliance, with fines reaching up to £17 million. However, these fines are not linked to global turnover, unlike NIS2.
5. Proposed Reforms in 2024
The UK government has announced plans to update the NIS Regulations to address gaps and align with emerging threats. Key changes include:
– Expansion of Scope: Including medium-sized businesses and additional sectors, such as managed service providers.
– Enhanced Governance: Introducing accountability measures for directors and executives.
– Stronger Supply Chain Protections: Requiring organizations to assess and mitigate third-party risks.
– Incident Reporting Refinement: Aligning reporting timelines with international best practices.
Comparative Analysis: NIS2 vs. UK NIS Regulations
While NIS2 and the UK’s NIS Regulations share a common goal of improving cybersecurity, there are notable differences in their scope, obligations, and enforcement mechanisms. Below is a detailed comparison:
| Aspect | NIS2 (EU) | NIS Regulations (UK) |
| Scope | Medium and large entities in critical and important sectors. | Focused on large entities; reforms may include medium entities. |
| Supply Chain Security | Detailed requirements for managing third-party risks. | Less detailed, but reforms aim to strengthen this area. |
| Governance | Strong emphasis on leadership accountability and penalties. | Limited emphasis; reforms expected to address this gap. |
| Incident Reporting | Initial report within 24 hours; detailed report within 72 hours. | Timelines vary; no mandatory 24-hour reporting for all cases. |
| Penalties | Up to 2% of global turnover or €10 million. | Up to £17 million, not linked to turnover. |
| Timeline for Reforms | Transposition by October 2024. | Reforms expected in 2024. |
Challenges for Organizations Operating Across Jurisdictions
For businesses with operations in both the EU and the UK, the divergence between NIS2 and the UK’s framework creates compliance challenges. Key considerations include:
1. Dual Compliance: Organizations must meet the stricter requirements of NIS2 for their EU operations while adhering to UK-specific regulations.
2. Supply Chain Complexity: Differing standards for third-party risk management may require tailored approaches in each jurisdiction.
3. Incident Reporting Coordination: Ensuring timely and accurate reporting to both EU and UK authorities, with varying timelines and expectations.
4. Resource Allocation: The need to allocate additional resources to address differing legal obligations and avoid penalties.
Steps to Achieve Compliance
Organizations can take proactive measures to align with both NIS2 and UK requirements:
1. Conduct a Compliance Audit
– Identify gaps in current cybersecurity measures relative to NIS2 and UK NIS Regulations.
– Prioritize areas requiring immediate action, such as supply chain security and incident reporting protocols.
2. Implement Unified Cybersecurity Policies
– Develop policies that address the most stringent requirements to simplify compliance across jurisdictions.
– Ensure alignment with international standards like ISO 27001.
3. Strengthen Leadership Oversight
– Assign responsibility for cybersecurity at the board level.
– Provide regular training for executives on regulatory requirements and emerging threats.
4. Enhance Incident Response Capabilities
– Establish or update incident response plans to comply with reporting timelines.
– Conduct regular simulations to test readiness.
5. Engage with Regulators
– Build relationships with national authorities in both the EU and the UK.
– Seek guidance on specific compliance questions or ambiguities.
Conclusion
As cyber threats continue to evolve, regulatory frameworks like NIS2 in Europe and the UK’s NIS Regulations aim to protect essential services and critical infrastructure. While the two regimes share common goals, their differences in scope, obligations, and enforcement create challenges for organizations operating across jurisdictions. Businesses must act now to ensure compliance, leveraging audits, unified policies, and robust governance structures. By addressing these requirements proactively, organizations can not only mitigate regulatory risks but also strengthen their resilience against cyberattacks, ensuring continuity and trust in an increasingly interconnected world.
References
NIS2 Directive (EU)
- Official EU NIS2 Directive Text:
Available on the European Union’s official legal documentation portal:
https://eur-lex.europa.eu/ - European Commission on NIS2:
Overview of the directive and its implications for cybersecurity in the EU:
https://ec.europa.eu/digital-strategy - ENISA (European Union Agency for Cybersecurity):
Detailed guidance and resources on NIS2 and cybersecurity frameworks:
https://www.enisa.europa.eu/
UK NIS Regulations
- UK Government NIS Regulations 2018:
Official legislation document on NIS implementation in the UK:
https://www.legislation.gov.uk/ - National Cyber Security Centre (NCSC):
Guidance on NIS Regulations and practical advice for operators of essential services:
https://www.ncsc.gov.uk/ - Department for Digital, Culture, Media & Sport (DCMS):
Updates on the planned reforms to the NIS Regulations in the UK:
https://www.gov.uk/government/organisations/department-for-digital-culture-media-sport
Additional Industry Insights
- KPMG Report on NIS2 Directive:
Analysis of the directive’s implications for businesses and recommendations:
https://home.kpmg/ - PwC UK Cybersecurity Insights:
Guidance on complying with the UK’s cybersecurity frameworks:
https://www.pwc.co.uk/ - Cybersecurity Blogs and Articles:
- ZDNet: Regular updates on global cybersecurity regulations.
- Dark Reading: Industry analysis on regulatory impacts.
You are concerned ? You are not sure ? Contact our analyst for more details.