Introducing the EU’s NIS2 Regulation

Before getting into the detail of NIS2, we need to understand how it affects UK entities. The UK is not an EU member state and has stated that it will not transpose NIS2 into UK law. Whilst NIS2 is an EU law, it has extraterritorial scope and entities not established in an EU Member state fall within scope when they:

1. Meet the criteria of an Essential Entity or Important Entity (see below)
2. Supply ‘Essential’ or ‘Important’ goods and services to the EU economy and society
3. Are not subject to the size cap exemption.

In those cases, the entity must appoint an EU representative in a member state and ensure fulfilment of NIS2 obligations.

When the UK was an EU member state, it enacted the original Network and information Systems Security Regulation (‘UK NIS 2018’). The UK has stated that it intends to amend UK NIS (2018) to include IT managed Service providers, but other details including timescales are not yet available and entities currently subject to UK NIS 2018 should continue to abide by its rules.

NIS2 applies to a wide range of sectors. Entities in the regulated sectors are categorised as ‘Essential Entities’ or ‘Important Entities’.

Essential Entities can expect to be subject to a proactive regime of supervision by the appointed authorities, Essential Entities include:

• Energy (electricity, oil, gas, hydrogen, district heating and cooling)
• Transport (air, rail, water, road)
• Banking
• Financial Market Infrastructure
• Health
• Water (drinking and waste)
• Digital Infrastructure
• ICT service management (b2b)
• Public administration

In addition to these, the directive introduces the concept of “Important Entities”. Important Entities will be subject to a reactive supervisory regime whereby supervision will be enacted in the case of, for instance, a cyber security incident or for concern to be raised regarding a particular sector or entity causing a supervisory authority to act. Important Entities include those operating in the following sectors:

• Postal and courier services
• Waste management
• Manufacture, production and distribution of chemicals
• Production, processing and distribution of food
• Manufacturing (medical devices, computer, electronic and optical products, electrical equipment, machinery, motor vehicles and trailers, other transport equipment including air and space craft, floating structures and boats, etc)
• Digital providers (online marketplaces, online search engines and social networking platforms)
• Research organisations (excluding education).

Entities operating in covered sectors which qualify as a medium sized enterprises (or larger) fall within the scope of the regulation. Small and micro enterprises (those with fewer than 50 employees and a turnover of less than EUR 10m) are subject to a general exemption.

However, small enterprises that fulfil a key role for society, the economy or for particular sectors or types of service can expect to fall within scope. Small enterprises should therefore take care to consider the relevance of NIS2 requirements both in terms of when anticipating growth that would bring them into scope of the regulation, as well as the scrutiny they can expect to come under if they hold an important place in the supply chain of a regulated sector.

NIS2 intends to improve the protection of network and information systems, safeguarding systems and their physical environment from incidents, and ensure effective incident handling to reduce impact when incidents do occur.

The areas in which NIS2 stipulates that appropriate and proportionate technical, operational, and organisational measures to be taken include:

We expect that many regulated organisations will need to incorporate elements of the following into their change and readiness programmes. The nature and extent of change will need to be informed by an applicability and gap analysis and build upon the existing standards in place.

Interpretation of the term “appropriate and proportionate technical, operational, and organisational measures” will be vital to achieving a fit for purpose risk management regime, this will be the subject of a further Insight article:

• Selecting, establishing and appointing an EU representative
• Updating or establishing policies and standards across various security topics. Implementing those policies and standards into operational and technical practice.
• Conducting risk assessments
• Implementing procedures to evaluate the effectiveness of security measures
• Developing, enhancing, and testing plans for handling security incidents (including accounting for new notification obligations and timescales arising from NIS2)
• Enhancing security measures relating to the procurement and development of systems.
• Improving ongoing risk monitoring and security risk management of networks and systems
• Strengthening vulnerability management procedures to better identify and appropriately respond to vulnerabilities (and/or disclose them)
• Providing appropriate cybersecurity training to the general workforce and targeted training to specific user groups (which may include third parties and other suppliers)
• Implementing enhanced security monitoring and / or authorisation procedures for employees with access to sensitive or important data
• Adopt, or improve the coverage and operation of authentication measures including using multi-factor authentication, and (when appropriate) continuous authentication solution
• Implementing security around supply chains and the relationship between the company and direct supplier.

EU Member States will appoint competent bodies with suitable powers of inspection and enforcement. Given the wide sectoral scope of NIS2, a large number of competent authorities will be appointed to provide suitable coverage in each member jurisdiction.

If an infringement is discovered, fines of up to €10m or 2% of an organization’s global annual revenue can be levied on Essential Entities, Important entities face fines of up to €7m or 1.4% of global annual revenue.