NIS2

Both the EU and the UK are amending their laws around Network and Information Security to strengthen security against cyber-risks in an increased range of sectors. Impacted organisations need to understand what new measures they may need to put in place to comply with the changes.

Is the text of the law finalised yet? When will it apply?

Yes. On 28 November 2022, the European Council adopted the Network and Information Security Directive (NIS2). Member States must adopt and publish the measures necessary to comply with NIS2 by 17 October 2024. Those measures shall apply from 18 October 2024, after which Directive (EU) 2016/1148 (NIS1) will be repealed.

Who does it apply to?

NIS2 broadens the scope of sectors required to comply. Under NIS1 (which is also enacted in the UK as it is a pre-Brexit piece of legislation), obligations are placed on operators of essential services (e.g. banks, healthcare providers, energy companies, etc.) and relevant digital service providers (e.g. cloud providers, online market places, search engines, etc.). However, under NIS2, this list will increase to also include postal and courier services, data centre services, waste water and waste management and manufactures of certain critical services such as pharmaceuticals, medical devices and chemicals.

What are the key obligations and changes from NIS1?

Incident reporting

Under NIS2 there will be a three stage process for reporting security incidents to the relevant authorities. An “early warning report” must be submitted within 24 hours. Next, a fuller “incident notification” should be submitted within 72 hours. Finally, a “final report” should be submitted within one month. This final report should provide a more detailed description of the incident, including its severity and impact and the mitigation measures that have been applied.

NIS1 provides an expansive list of factors that operators of essential services and digital service providers must consider to determine whether an incident needs reporting, but this has led to over-reporting. Therefore, NIS2 narrows the criteria of reportable incidents.

Registration

Under NIS2, certain in-scope entities (including cloud providers and data centres) will need to submit a registration to the European Union Agency for Cyber Security (ENISA).

Cyber-security risk management measures

NIS1 imposes obligations on in-scope entities to implement technical and organisational measures to manage security risks of systems and facilities. NIS2 expands upon these requirements and provides a long list of the types of measures that should implemented as a minimum. It is described as an “all-hazards approach”. Measures include ensuring basic cyber hygiene practices and cybersecurity training, cryptography and encryption, and multi factor authentication or continuous authentication solutions. Supply chain security is also included in this list. This means that businesses that are not directly caught by NIS2 could be indirectly impacted.

Obligations on “management bodies”

NIS2 imposes new obligations on “management bodies”. They must: (i) have regular training and must offer similar training to their employees; and (ii) oversee the implementation of the cyber-security risk management measures described above.

Sanctions for non-compliance

Under NIS2, Member States are required to set a certain level of administrative fines. The maximum fine will depend on the type of entity that is in breach, but NIS2 provides that it could be up to the greater of EUR 10 million or 2% of the infringing party’s worldwide annual turnover of the preceding financial year, whichever is the higher.

Does the UK have anything similar?

The UK had already implemented NIS1 prior to Brexit. The UK will not implement NIS2 but is working on its own proposals to amend the NIS regime; for example, by expanding the scope of digital service providers to bring “managed services” in scope. The UK is also considering expanding the current incident reporting duties to include incidents that do not actually affect the continuity of the service directly, but which nonetheless pose a significant risk to the security and resilience of the entities in question and the essential services they provide.

What are some of the commercial impacts of NIS2?

In-scope organisations must plan, and budget, for these changes. The EU impact assessment on NIS2 suggested that in-scope companies “would need an increase of maximum 22% of their current ICT security spending for the first years following the introduction of the new NIS framework (this would be 12% for companies already under the scope of the current NIS Directive)”.

Policies and procedures must also be reviewed to check they meet the new requirements. This will be particularly important in relation to breach notification where three different reports will need to be submitted.