NIS 2 is Changing
It’s getting Risky out there…
The protection of our networks and systems is of utmost importance, now more than ever. Attackers are increasingly sophisticated and attack with increasing frequency and ferocity. Only a Superhero (in the guise of an EU directive) can help us. Is it a bird? Plane? An A.I. drone, gone bonkers?
Nope …it’s NIS2. You see, The EU is replacing its first Network and Information Systems Directive (NIS 1) with an improved, more robust version. The NIS-2.
NIS 2 Directive EU Summary
What the Hake is NIS 2? In short, it’s a beefed-up, super-sized version of NIS 1. NIS2 seeks to forge a common, coordinated and cooperative approach. One that improves information security across EU member states and beyond.
In 2016, the EU introduced the NIS1 directive. The purpose: to fight cyber security threats to critical infrastructure. In January 2023, the EU adopted the updated NIS2 Directive, giving member states until October 2024 to implement it.
What’s changed is that NIS 2 is a lot tougher than its predecessor. It’s also more costly. More complex. But it’s also a smarter way to protect essential and important information assets, keeping what matters running while raising cyber security standards across the board. Here’s why it’s going to make a difference: the directive has teeth — big ones.
Unlike NIS 1, NIS 2 is armed with far heftier fines (and more compliance standards) than its predecessor. Entities within its scope must expect ad-hoc audits, expensive implementation costs and, if they don’t buckle up and comply, eye-watering fines of up to $10 million. Got your attention yet?
NIS 2 Directive UK Summary
The UK has proposed specific changes to the EU Directive:
Regulation of Managed Service Providers (MSPs): Because MSPs have access to the information technology systems of millions of customers, they are a prime target for cyber attacks. Due to this, the UK proposes to expand the definition of relevant digital service providers (RDSPs) to include MSPs who have particular characteristics and/or meet certain risk criteria.
If a provider of managed services has all of the following characteristics, the UK proposes them to be classified as an RDSP:
- The service is provided by one business to another;
- The service is related to the provision of IT services
- The service relies on the use of network and information systems
- The service provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or their security.
The UK Government has clarified that an MSP with all the above characteristics would only be subject to Proposed NIS reforms if it then meets certain risk-based criteria. For example, the MSP either has privileged access to a customer’s data/systems or performs essential or sensitive functions.
Although the UK is not currently proposing to include these criteria in the revised legislation, it has said it will work alongside regulators (read: the Information Commissioner) on exactly how to apply these criteria in its application of the regulations.
The UK Government has given examples of the types of managed services that would be in scope (if they meet the characteristics above):
- IT outsourcing services (ITO)
- Private wide area network (WAN) managed services
- Private local area network (LAN) managed services
- Service integration and management (SIAM)
- Application modernisation
- Application modernisation
- Application management
- Managed security operations centre (SOC)
- Security Monitoring (SIEM)
- Incident Response
- Threat and vulnerability management (TVM)
Small and Micro RDSPs
Micro and small enterprises (i.e. less than 50 employees and/or less than £9 Million annual turnover) are excluded from the definition of RDSPS under the UK NIS Regulations.
Despite this, the Information Commissioner will specify specific micro and small RDSPs which are systematically critical to the UK’s critical services or national security and therefore subject to the UK’s NIS Regulations.
Delegation Power
The UK will have the power to amend aspects of the UK NIS regulations without passing an Act of Parliament. This means it can respond fast and effectively to developments in technology and the threat landscape.
This means the UK Government can change the existing sectors and sub-sectors subject to UK NIS regulations.
They also have the power to designate critical suppliers that they call ‘Critical Dependencies’, on which existing essential services depend. Critical Dependencies would become subject to the same obligations that apply to operators of essential services under the UK NIS Regulations.
Finally, because the UK Government is concerned that under the current UK NIS Regulations, there have been only a limited amount of reported cyber security incidents, the proposed NIS reforms expand the requirements to report cybersecurity incidents beyond those which affect the continuity of service. Operators of essential services and RDSPs will need to report ANY security incidents that have a significant impact on the security of the network and information systems that underpin an essential service. Even if the incident does not affect continuity of service.
The Price of NIS 2 Non-Compliance
At Risk Crew, we never use Fear, Uncertainty and Doubt (FUD) tactics — our goal is to empower with knowledge. However, here are the facts for non-compliance.
NIS 2 introduces new fines as an “incentive” to encourage entities to take security measures seriously (and to report incidents promptly to the competent authorities). For Essential entities, fines could reach up to €10 million or 2% of global turnover, whichever is greater. For Important Entities, it’s €7 million or 1.4% of global turnover.
But financial penalties are not the only cost to consider. Implementing the necessary measures for NIS 2 compliance will require time and considerable expense. Companies should prepare for a dramatic budgetary swell, approximately an additional 12% of the existing (ICT) Information and Communications Technology spend for those already subject to NIS1, and a whopping 22% increase for organisations new to NIS.
Comprehensive Cyber Security Risk Management
The directive urges organisations to be proactive about risk management. It mandates controls in business continuity and crisis management, supply chain security, incident reporting and supervision. Entities must promptly report any incident that significantly impacts their services to their (CSIRT) Computer Security Incident Response Team, issuing early warnings, incident notifications, intermediate reports and final reports within specific timeframes.
That’s the bad news. The good? NIS-2 is designed to enhance cyber security across EU member states, with a particular focus on safeguarding critical infrastructure. It’s the information security equivalent of NATO.
Supply chain security is a significant focus area. Entities, regardless of their direct involvement, could be affected because of the mandatory requirements for Essential and Important entities to assess the cyber security practices of their suppliers and service providers.
Moreover, in-scope entities are encouraged to incorporate risk management measures into their contractual arrangements and are urged to conduct rigorous due diligence when selecting their managed security providers.
There’s an ancient Chinese curse ‘May you live in interesting times’. You don’t need a crystal ball to see that times are already ‘interesting’, and likely about to get even more so. NIS 2 aims to help EU member states weather the coming storm, whatever form that takes.
Who is Affected and What is the Timeline for Compliance
The UK Government has stated that the Proposed NIS Reforms will be implemented as soon as parliamentary time allows but we expect that to happen in the first part of this year, as the NIS 2 Directive passed in January 2023, with October 2024 being the cut-off date for Member States to transpose the Directive into national law.
Entities operating within the EU that fall under ‘Essential’ or ‘Important’ sectors, with the exclusion of ‘small’ and ‘micro’ businesses. Essential sectors range from energy and transport to banking, health, digital infrastructure, public administration, and space. Meanwhile, Important Entities include postal and courier services, waste management, food production, manufacturing, digital providers, and research organisations, among others.
Is there a timeline? Yes and no. The timeframe for the transposition of NIS 2 into the national laws of the 27 member states of the EU is 17 October 2024. But this is the deadline for transposition into national law for member states, not the compliance date for entities subject to NIS 2. As yet, the compliance date for entities remains unspecified. The directive advises that ‘Member States shall require entities referred to in paragraph 1 to submit the following information to the competent authorities by 17 January 2025.’ The ‘following information’ requested is much like an application to Companies House and includes basic information only.
What You Can Do Now
Ultimately, the goal of the new directive is to harmonise the cyber resilience of member states and foster a shared understanding of cyber security threats and challenges, centring on essential services (and their third-party service providers). In other words: we’re stronger together (but only if we truly cooperate). To start preparing now we suggest:
- Get familiar with the 10 cyber security management measures in Article 21
- Educate your senior leadership on the penalties of NIS 2 and get their buy-in on a budget to begin your compliance project.
- Prepare for training. NIS 2 mandates regular training and risk ownership for all executives.
- Document your Incident Response Plan. NIS 2 increases obligations for response and shortens timeframes.
- Assess your Supply Chain.
- Create a Vulnerability Disclosure Policy. Put procedures in place to receive vulnerability notifications from third parties.
- Promote secure DevOps
Risk Crew can help you start readying your organisation today – and take the preliminary security measures that are required. Get ahead of the game and speak to one of our experts to discuss your NIS2 readiness.