Are you aware of NIS2? Are you up to speed with the requirements for compliance?
If not, there’s a good chance you'll be hearing much more about it soon.
Many UK businesses have had to comply with NIS cyber security standards for years now.
Pre-dating Brexit, the Network and Information Systems (NIS) Regulations rules were imposed by the EU and remain part of British law.
For other European countries still part of the EU, the regulations are tightening. NIS2 means stricter rules, reporting requirements, and sanctions. Penalties could be as high as 10 million Euros or 2% of their global turnover for compliance failures.
A huge range of sectors –including many new ones not covered by the first NIS – are being pulled into the regulations. For those UK organisations whom the original NIS applies to, they can already be fined as much as £17 million for non-compliance.
For many UK businesses who are part of a wider group with links to or subsidiaries within an EU country, NIS2has immediate relevance.
Whilst, strictly speaking, NIS2 won’t apply to UK-only companies, our own version of the rules is coming very soon.
Indeed, in January this year, the UK Government stated that “the NIS regulations will be updated as soon as Parliamentary times allows”.
Announcing last November that the update is coming, UK Cyber minister Julia Lopez said: “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”
And it’s highly likely that –whatever spin comes with it – the UK’s NIS update will be extremely similar to the EU’s version.
One example we already know where the UK is going to follow the EU’s footsteps is bringing Managed Service Providers (MSPs) into the purview. MSPs have joined the list of ‘critical entities 'to whom the NIS2 directive applies.
The UK Government has stated: “Under the new changes MSPs, which are key to the functioning of essential services that keep the UK economy running, will be brought into scope of the regulations to keep digital supply chains secure.”
Most of the digital MSPs, which include digital billing, security monitoring services, managed network services and outsourced business processes, fall outside of the remit of the existing NIS regulations in the UK.
Yet, they are critical because they can have “privileged access to their customer’s IT networks", making them an “attractive target for cyber criminals who can exploit MSP software vulnerabilities to compromise a wide range of clients”, Government officials noted as they announced their intention to bolster the rules.
The whole point of the rules, in essence, is to better protect essential everyday services, such as water, energy and transport, from online attacks.
Ultimately, the threats posed by cyber criminals and the consequences of falling prey to them are just as severe for all countries - whether within the EU or otherwise.
The UK needs to protect critical infrastructure just as much as any EU country.
And the solutions to combat these threats - the accepted best practice in cyber security- are very much similar. So, it logically follows that the UK regulations will closely resemble the EU’s NIS2.
Indeed, I expect and hope the UK Government’s update to NIS will largely look very similar. The foundations NIS2 lays are solid, sensible and robust. It will be beneficial to UK organisations– and the country as a whole – to have a very similar, strengthened framework asNIS2 provides.
There may be some small differences, but it would be highly surprising if the substance deviated significantly.
The threat driving the new regulations is only going to grow. As everything becomes increasingly connected digitally, the potential damage of a cyber attack to a country increases. A coordinated attack that hits, for example, utilities companies hard would be devastating.
Indeed, UK Cyber minister Julia Lopez has acknowledged this threat, saying: “The services we rely on for healthcare, water, energy and computing must not be brought to a standstill by criminals and hostile states.”
Although NIS2 will not fully take effect in EU nations until October 2024, and the UK’s own version is not yet published, business leaders would be wise to swat up now on the essentials of compliance and take action.
For those asking, ‘why meet the requirements right now?’, the answer is this: it’s not just about complying for compliance sake. By following these rules, you’ll be protecting your organisation to the best of your ability, and demonstrating best practice, establishing your firm’s diligence and awareness of the threats that exist for everyone.
Would you like further help understanding NIS compliance and how privileged access security fits in?