The Network and Information Systems (NIS) Regulations, aimed at raising levels of cyber security and resilience of key systems across the EU, came into force on 10th May 2018.
On 16th January 2023, the NIS2 Directive came into force. The NIS2 Directive rescinds the original NIS Directive and creates a more extensive and standardised set of rules on cybersecurity for organisations carrying out their activities within the European Union.
Key Changes In NIS2
Wider Scope
The number of organisations which are subject to the NIS2 directive will increase significantly over the original NIS directive. Under the original NIS directive, member states had to designate those entities considered to be essential and as such, subject to the original directive. The new NIS2 directive specifically defines the organisations to which the obligations apply, which means a wider scope of entities.
As an example, most organisations which were classified as “operators of essential services” under the original NIS Directive, will now be classified as “essential entities” under the NIS2 Directive. The definition of essential entities is much broader than before and means that many organisations not previously affected by NIS regulations will now be required to meet the NIS2 obligations.
Digital service providers in the original directive have been removed from NIS2 and instead the concept of “important entities” has been introduced. This will include organisations previously considered to be “digital service providers” with additional categories added. Important entities are subject to more rigorous obligations under NIS2 than applied to digital service providers in the original NIS directive.
Enhanced Obligations
Under NIS2, essential and important entities are obliged to implement technical, operational, and organisational measures to manage risks in their networks and systems and to minimise the impact of incidents. Areas to be covered include incident handling, business continuity, and secure authentication.
Incident Reporting
NIS2 requires that both essential and important entities notify the national computer security incident response teams, (CSRT) or where applicable, the relevant competent authority, of any incident having a significant impact upon the provision of their services. Steps to be taken include the following:
· An early warning must be sent within 24 hours of the organisation becoming aware of the incident. This shall indicate whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
· An incident notification must be sent within 72 hours of an organisation becoming aware of the incident. This must update the information above and provide an initial assessment of the incident, detailing its severity and impact.
· An intermediate report must be sent when requested by the CSRT or competent authority.
· A final report must be sent no later than one month from the incident notification. This must contain a detailed description of the incident, including the likely cause, any mitigation measures applied, and any cross-border impact of the incident.
Enforcement
Competent authorities will be able to apply a tough set of enforcement and investigatory powers including the ability to carry out raids, security audits, and request data and documents.
Authorities in member states will have the ability to impose significant fines in event of non-compliance with the provisions of the NIS2 Directive:
· For essential entities, fines of at least up to €10 million or 2% of the worldwide annual turnover.
· For important entities, fines of at least up to €7 million or 1.4% of the worldwide annual turnover.
Management bodies of essential and important entities could also be held liable.
Next Steps
EU Member States must transpose the requirements of the NIS2 Directive into national law, and publish the measures necessary to comply, before they become applicable to the relevant organizations, with a deadline for transposition of October 17th 2024.
Before NIS2 comes into force, organisations need to:
· Assess whether they provide any services or conduct any activities that are captured by the NIS2 Directive and if so, which subsidiaries or business units are affected.
· Begin assessing their security controls and preparing amendments to their security, risk management and incident response policies to achieve and document their compliance with NIS2.
· Liaise with suppliers regarding new security controls and incident response given the explicit requirement in NIS2 to address supply chain risk and the new incident reporting obligations.
Will NIS2 apply to the UK?
NIS2 won’t apply to the UK directly, however, the UK government announced on 30 November 2022 that the UK’s Network and Information Systems (NIS) regulations will be strengthened to further protect essential services against digital threats, such as cyber-attacks.