A NIS-ty mess? Update on EU and UK cyber security laws

The legal landscape in relation to cyber security is a mess. In this article, we untangle some of that mess for you and explain what you need to know.

Points of certainty

At EU level, the Network and Information Systems Directive (2016/1148) (NIS1) has been repealed and replaced by a second Network and Information Systems Directive (EU 2022/255) (NIS2). NIS2 requires entities in certain “critical” sectors to do the following, and to drive similar compliance into their supply chains:

• Implement cyber security risk detection and management measures (and supporting internal governance and training).
  
  
• Report incidents to the relevant authorities in two timed stages, plus final report.
  
  
• Submit to regulatory supervision (including on-site inspections, scans and potentially audit, as well as providing information). 

Non-compliance can lead to penalties of up to €10m or 2% of annual turnover.

Broadly, NIS2 applies to the sectors caught by NIS1, plus: waste water, space, public administration, ICT service management (B2B), research, food production and distribution, postal and courier services, waste management, manufacturing, and the manufacture, production and distribution of chemicals. For more detail see our note.

NIS1 continues to apply in the UK as it was implemented by the Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) before Brexit. The 2018 Regulations cover five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services).

The NIS-ty mess

The objective of NIS2, like its predecessor, was to establish a high level of cyber security across EU member states. NIS2 establishes higher standards, but implementation by member states is, uneven, with no less than 23 member states missing the 17 October 2024 implementation deadline. The tardiness is significant, as national courts are generally reluctant to enforce EU Directives before member states pass implementing legislation.

The overall impact for organisations that are newly caught by NIS2 and operate in the EU (and their supply chains) is to prolong the uncertainty.

Some national implementations that are already in place deviate from NIS2. The trend of deviations is towards higher standards and complicated regulatory supervision arrangements (reflecting the fact that NIS2 applies to several different sectors, each with their own regulator). The implementations also lack detail and provide for secondary legislation to fill in the blanks later. This is understandable, given that NIS2 provides for the European Commission to issue formal guidance but none has yet been issued.

The UK is belatedly moving to upgrade its own cyber security regime through The Cyber Security and Resilience Bill, which is expected to be introduced to Parliament later this year. The Government published an announcement and details of the scope and ambition of this Bill on 1 April. Amongst other things, they say it will upgrade the NIS Regulations by:

• Regulating more sectors: Providers of managed IT services, infrastructure and applications will come into the scope of regulation. Systems integrators, managed security service providers, secure operation centre operators and security information and event managers will also be caught (see footnote 2 of the policy statement). Data centres may be regulated (this is under consideration but note that they are already viewed as Critical National Infrastructure).
  
  
• Imposing supply chain management duties: New duties for in-scope firms to manage cyber security risk in their supply chains (detail to follow in secondary legislation).
  
  
• Regulating supply chain participants: Powers for regulators to designate “critical suppliers” in supply chains so that they are also directly regulated. The policy statement outlines proposed threshold criteria.
  
  
• More powers for regulators: Regulators will get enhanced oversight and powers (including the ability to see regulated firms’ risk assessments, and two-stage incident reporting).
  
  
• Easy-to-change regulation: Powers for the Secretary of State to change the regulatory framework (eg, by setting sector-specific regulation for more than just financial services) via a low-friction legislative process and (under consideration) to set strategic priorities for regulators and to give binding directions to regulated firms.

There is a strong echo of NIS2 here, and an explicit commitment to align the NIS Regulations with NIS2 “where appropriate” (and, surely, to the extent feasible, given the messy landscape created by EU member state implementations and the absence, for now, of detailed guidance). There are also many points where the proposals do not explicitly align with NIS2, such as provision for a Vulnerability Register, and formal cooperation and information sharing between regulators and incident response teams.

It remains to be seen whether the style of regulation will improve. We would hope (likely in vain) for regulators to share responsibility for outcomes, and to provide or channel funding and effective support and guidance, instead of primarily wielding the headmaster’s (monetary) cane and the benefit of hindsight.

So what (UK organisations)?

NIS2 is in force in the EU and may apply to organisations based in the UK that:

• Operate in the EU, in sectors that are caught by NIS2.

OR

• Form part of the supply chain for organisations that operate in the EU, in sectors that are caught by NIS2.

This second element is driven by NIS2 itself. In a change from NIS1 and the NIS Regulations, NIS2 explicitly requires in-scope organisations to manage cyber security in their supply chains.

Organisations that are caught will need to register with the relevant regulator(s) in relevant EU member states.

For now

Organisations in affected sectors (and their supply chains) should monitor the legislative picture as it develops in the UK, and in EU member states where they operate or supply. But playing the waiting game is evidently not an option. Cyber security incidents and resulting interruptions in business continuity are present risks and will not wait. The legislation “merely” adds new layers of compliance and the additional risk of regulatory action and penalties.

While the legislative picture settles, firms that are within the scope of NIS2 (whether directly, or by virtue of belonging to supply chains) should as a minimum continue to:

• Ensure that their leaders, and leaders in their supply chains firms, are aware of cyber security and business continuity risks and management.
  
  
• Ensure that supply chain contracts mandate cooperation and information sharing in relation to cyber security.
  
  
• Conduct assessments, internally and in supply chains, to build a picture of cyber security risks. There are established and well-defined non-legal standards and tools available to support this, including the Cybersecurity Capability Maturity Model (C2M2), which is partly open source, and IEC 62443, in addition to NCSC’s CAF.
  
  
• Allocate internal risk-owners to monitor and manage cyber security risk (and related policies and measures) that start to come into focus as a result of assessments.

For the rest

NIS2 is a pain for in-scope firms, and the amendments to the UK NIS Regulations will be too. There is, however, no doubt that organisations will benefit if they use the new laws as a nudge to establish or improve their measures for managing cyber security risk in their information technology and operational technology. The same operating risks exist for all of us, and all organisations in the UK (whether or not they are caught by NIS or NIS2) should be pursuing the activities outlined above.

Our content explained