Introducing the EU’s NIS2 Regulation

The Network and Information Security Directive 2022/2555 (“NIS2”) is a new EU Directive on cybersecurity that came into force on January 16, 2023. It aims to boost the level of cybersecurity across the EU. With an October 17, 2024 deadline for member states to include this new Directive into their respective national laws, now is the time for organisations to prepare for NIS2.

Microsoftteams Image (210)
Mark Hendry
Published: 18 Dec 2023 Updated: 18 Dec 2023
Cyber security

The UK’s position on NIS / NIS2

Before getting into the detail of NIS2, we need to understand how it affects UK entities. The UK is not an EU member state and has stated that it will not transpose NIS2 into UK law. Whilst NIS2 is an EU law, it has extraterritorial scope and entities not established in an EU Member state fall within scope when they:

  1. Meet the criteria of an Essential Entity or Important Entity (see below)
  2. Supply ‘Essential’ or ‘Important’ goods and services to the EU economy and society
  3. Are not subject to the size cap exemption.

In those cases, the entity must appoint an EU representative in a member state and ensure fulfilment of NIS2 obligations.

When the UK was an EU member state, it enacted the original Network and information Systems Security Regulation (‘UK NIS 2018’). The UK has stated that it intends to amend UK NIS (2018) to include IT managed Service providers, but other details including timescales are not yet available and entities currently subject to UK NIS 2018 should continue to abide by its rules.

Entities subject to NIS2

NIS2 applies to a wide range of sectors. Entities in the regulated sectors are categorised as ‘Essential Entities’ or ‘Important Entities’.

Essential Entities can expect to be subject to a proactive regime of supervision by the appointed authorities, Essential Entities include:

  • Energy (electricity, oil, gas, hydrogen, district heating and cooling)
  • Transport (air, rail, water, road)
  • Banking
  • Financial Market Infrastructure
  • Health
  • Water (drinking and waste)
  • Digital Infrastructure
  • ICT service management (b2b)
  • Public administration

In addition to these, the directive introduces the concept of “Important Entities”. Important Entities will be subject to a reactive supervisory regime whereby supervision will be enacted in the case of, for instance, a cyber security incident or for concern to be raised regarding a particular sector or entity causing a supervisory authority to act. Important Entities include those operating in the following sectors:

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Production, processing and distribution of food
  • Manufacturing (medical devices, computer, electronic and optical products, electrical equipment, machinery, motor vehicles and trailers, other transport equipment including air and space craft, floating structures and boats, etc)
  • Digital providers (online marketplaces, online search engines and social networking platforms)
  • Research organisations (excluding education).

Exemptions

Entities operating in covered sectors which qualify as a medium sized enterprises (or larger) fall within the scope of the regulation. Small and micro enterprises (those with fewer than 50 employees and a turnover of less than EUR 10m) are subject to a general exemption.

However, small enterprises that fulfil a key role for society, the economy or for particular sectors or types of service can expect to fall within scope. Small enterprises should therefore take care to consider the relevance of NIS2 requirements both in terms of when anticipating growth that would bring them into scope of the regulation, as well as the scrutiny they can expect to come under if they hold an important place in the supply chain of a regulated sector.

Main requirements and obligations arising from NIS2

NIS2 intends to improve the protection of network and information systems, safeguarding systems and their physical environment from incidents, and ensure effective incident handling to reduce impact when incidents do occur. 

The areas in which NIS2 stipulates that appropriate and proportionate technical, operational, and organisational measures to be taken include:

Policies

Basic cyber hygiene and training

Authentication (including MFA)

Business continuity

Incident handling

Secure system acquisition, development and maintenance (including vulnerability management)

Supply chain security

Policies and procedures for the use of encryption

 

Risk management effectiveness assessment

HR security including access management

 

We expect that many regulated organisations will need to incorporate elements of the following into their change and readiness programmes. The nature and extent of change will need to be informed by an applicability and gap analysis and build upon the existing standards in place.

Interpretation of the term “appropriate and proportionate technical, operational, and organisational measures” will be vital to achieving a fit for purpose risk management regime, this will be the subject of a further Insight article:

  • Selecting, establishing and appointing an EU representative
  • Updating or establishing policies and standards across various security topics. Implementing those policies and standards into operational and technical practice.
  • Conducting risk assessments
  • Implementing procedures to evaluate the effectiveness of security measures
  • Developing, enhancing, and testing plans for handling security incidents (including accounting for new notification obligations and timescales arising from NIS2)
  • Enhancing security measures relating to the procurement and development of systems.
  • Improving ongoing risk monitoring and security risk management of networks and systems
  • Strengthening vulnerability management procedures to better identify and appropriately respond to vulnerabilities (and/or disclose them)
  • Providing appropriate cybersecurity training to the general workforce and targeted training to specific user groups (which may include third parties and other suppliers)
  • Implementing enhanced security monitoring and / or authorisation procedures for employees with access to sensitive or important data
  • Adopt, or improve the coverage and operation of authentication measures including using multi-factor authentication, and (when appropriate) continuous authentication solution
  • Implementing security around supply chains and the relationship between the company and direct supplier.

Supervision and enforcement

EU Member States will appoint competent bodies with suitable powers of inspection and enforcement. Given the wide sectoral scope of NIS2, a large number of competent authorities will be appointed to provide suitable coverage in each member jurisdiction.

If an infringement is discovered, fines of up to €10m or 2% of an organization’s global annual revenue can be levied on Essential Entities, Important entities face fines of up to €7m or 1.4% of global annual revenue.

Our Cyber Security team can help you understand the NIS2 Directive and provide the advice and support you need to be compliant by October 2024.

Additional information

Whilst considerable care has been taken to ensure the information contained within this document is accurate and up to date, no warranty is given as to the accuracy or completeness of any information and no liability is accepted for any errors or omissions in such information or any action taken on the basis of this information.