NIS2: The Sequel

July 12, 2022

Why NIS2?

Legislation under the EU undergoes regular revision, and The Network and Information Systems Regulations (NIS) is no exception. There’s no confirmation on if or exactly how NIS2 or an equivalent will make its way into UK law. However, it is likely, given the rapid growth in cybercrime and cyber security incidents in recent years, especially throughout the pandemic and current world events.

A significant change with NIS2 is that the scope of the legislation has widened to include (perhaps unsurprisingly) medical device research and manufacture and others. The additions are split into two categories, ‘essential’ and ‘important’ sectors (replacing the OES and RDSP distinction), including banking, digital infrastructure, energy, health, transport, public administration, and space. Important sectors now include the manufacture of medical devices, post services, waste management, food production, and digital providers. There is also the option for EU states to exercise a high degree of discretion when identifying entities that may be smaller than the thresholds but have a high-risk profile.

The new legislation proposes a new entity (European Cyber Crises Liaison Organisation Network, or EU-CyCLONe) to provide incident management coordination at an EU level rather than national or between individual national networks. Given the international nature of cyber security incidents, particularly those which meet a need for a global response, this is a welcome proposal.

There’s also the introduction of more punitive measures for failure to comply with the legislation and tightening requirements. Firstly rules around reporting have been strengthened, with more detailed guidance on the reporting process, the content of reports, and the timing reduced to within 24 hours of the incident being discovered. Reporting now covers incidents with a significant material impact and those with the potential to cause substantial, operational or financial damage. Linked to this, NIS2 provides a database of known vulnerabilities to be kept by ENISA, and coordinated vulnerability disclosure allows security researchers to report vulnerabilities responsibly.

Guidance around what consists of appropriate and proportional security has been tightened, with a risk management approach now enforced and required to include:

  • risk analysis
  • information system security policies
  • incident response, business continuity, and crisis management planning
  • supply chain security, including management of third-party risks
  • audit and testing of controls
  • cryptography

Any organisation with a mature security management framework in place should already include these. However, it may be worth reviewing to ensure they are called out and auditable. The last substantive change is to bring penalties similar to GDPR. Those who fail to comply can be fined up to 2% of their global annual turnover, or €10 million, whichever is higher. Those who persist in breaking or ignoring the rules after warnings and fines can have suspended licenses or even see sanctions against their senior leadership. Hand in hand with this, the new form of the regulations places a strong responsibility on member states to supervise and enforce the legislation.

Overall, the new form of the directive clarifies existing guidance and strengthens the EU’s cyber security posture. Given the rapid growth of cybercrime and its impact on companies and individuals, along with the use of cyber security attacks to cause disruption, it is very much a step in the right direction.

Written by James Bore on behalf of Samurai Digital Security

Edited by Dr David Day