The Security of Network & Information Systems (NIS) Regulation will soon change in both the European Union and the United Kingdom. What lies ahead, and what implications will these alternations hold for businesses in the UK?
The original NIS directive was accepted in 2016 and came into force in the United Kingdom in May 2018. Now, the EU is getting ready for the new NIS2, which is expected to be implemented by member states by September 2024. Since the UK is no longer bound by EU legislation, it will not implement it. However, NIS2 will still apply to UK-based organisations within its scope and operating in the EU. Meanwhile, in January 2022, the UK Government proposed a reform of the original NIS, which remains the primary cybersecurity legislation applicable to organisations doing business in the UK.
In what case is the EU’s NIS2 regulation applicable to UK businesses?
a) if the company has facilities in the EU
b) If the company is a part of a supply chain of EU companies
UK companies will need to determine if they are subject to the revised NIS regulations, the EU NIS2 directive, or both. While there are similarities between these two frameworks, there are also differences that will make it more challenging for organisations to meet their cybersecurity compliance responsibilities. Businesses should get familiar with the regulations well in advance and proactively allocate time and resources to ensure appropriate security measures are in place. The goal is not only to meet regulatory requirements but also to build a robust digital security infrastructure to protect their operations from cyber threats.
Similarities and differences between the updated cybersecurity regulatory frameworks in the EU and the UK
Who needs to comply?
In the UK, lawmakers propose extending the regulation to IT-managed service providers (MSPs). The reform will also give the UK government the power to add new sectors and sub-sectors in the future.
The EU's new NIS2 directive covers specific additional sectors, such as telecommunications, social media platforms and public administration, and introduces a minimum size cap to include medium and large organisations.
What must be reported?
The UK proposal expands the range of incidents that must be reported to include those that pose a high risk or have a significant impact on the service, even if they don't ultimately disrupt it.
The NIS2 also extends the range of incidents that need to be reported to include those that can potentially cause considerable losses to others. It also stipulates that initial reporting of incidents must be made within 24 hours of becoming aware of the incident.
How will it be enforced?
The UK approach to regulation will be through a flexible risk-based assessment and will be regulated by the Information Commissioner.
NIS2 takes a different approach, relying on administrative fines and penalties for non-compliance. These will be increased compared to NIS to a maximum of €10 million or 2% of total annual global turnover for organisations that fall into the Essential Entities (EEs) category.
What are the specific new obligations introduced by the NIS2 directive? Get to know NIS2 with ESET's comprehensive guide.