Skip to content
Toro Insights

Navigating NIS2: A Guide to New EU Cybersecurity Regulations

Toggle

Over the next couple of years, we are set to experience some significant regulatory changes in the field of IT and cyber security. NIS2 is the top of a three-pointed triangle alongside the Critical Entities Resilience (CER) Directive and the Digital Operational Resilience Act (DORA). Before addressing NIS2 I will quickly cover these accompanying changes, one of which we have already discussed: 

DORA addresses the EU’s financial sector with digital security regulations. NIS2 builds upon this by broadening the industries within scope, subsequently NIS2 could be seen as an extension of DORA to match the scope of the CER.  

https://www.torosolutions.co.uk/en/toro-blog-listing/dora-everything-you-need-to-know  

The Critical Entities Resilience Directive is set to place obligations on entities to create plans and mitigations for all hazards, whether natural, man-made, accidental, or intentional. The CER, as will be seen below for NIS2, applies across key sectors including energy, transport, utilities, banking, financial services, health, digital infrastructure, public administration, space, and manufacturing.  

NIS2 is a key part of the EU's cybersecurity strategy. It is an updated legislative framework introduced by the European Union to boost the overall level of cybersecurity in the EU.  The framework is an update to the original NIS Directive, adopted in 2016. 

Like with DORA, the key change being introduced by NIS2 is business resilience. A new set of rules that cover several primary and secondary sectors with obligations that extend to supply chain risk. For the organisations identified in the new rules, having a strong cyber security posture will be essential for compliance. In the ever-changing technological world, cybersecurity is now moving to a higher than ever minimum standard. Governments are increasingly responding to this by introducing new laws that aim to make cyber security holistic, sustainable, and future facing. Changes to the security practices of businesses, particularly those servicing customers in the EU (European Union), will be significant.  

At the end of May 2024, Mastercard announced its drive to stay on top of this changing environment by creating its European Cyber Resilience Centre. As a key provider of financial services across the EU they are a central target of NIS2 obligations. It is telling they have gathered experts from the public and private sectors and set up office in Belgium. This evidences Mastercard’s awareness of the new obligations and further shows a commitment to NIS2’s requirement to account for the “state-of-the-art” and international standards like ISO 27001.  

https://www.torosolutions.co.uk/iso-27001  

Many businesses impacted by NIS2 will not be as large as Mastercard.  

These businesses will have to look at their security posture and seek concise, expert, actionable steps to meet these fast-approaching changes.  

Will you be impacted by NIS2? 

In 2016 the EU introduced the Network and Information Security Directive (NIS1). It set strict cybersecurity requirements for organisations operating in ‘essential sectors’ such as IT and utilities.

Following Brexit, for many businesses in the UK it is not always clear whether NIS2 will apply to them. It is important to clarify that the NIS2 directive applies to all organisations (within scope) that operate in and service EU citizens. This will include a substantial number of UK organisations that have offices in, or sell services in the EU.  

If you are one of these businesses, then you will need to be NIS2 compliant by 17 October 2024. 

NIS2 groups these service providers into two groups, ‘Essential Entities’ (EE) and ‘Important Entities’ (IE). 

‘Essential Entities’ are identified as: 

  • Energy 
  • Transport  
  • Finance  
  • Public Administration 
  • Health  
  • Space
  • Water Supply 
  • Digital Infrastructure

As a rule, an EE possesses 250 or more employees with an annual turnover of 50 million EUR or a balance sheet of 43 million EUR.   

‘Important Entities’: 

  • Manufacturing  
  • Digital Providers (social networks, search engines and online marketplaces) 
  • Foods (sale and production) 
  • Research 
  • Chemicals 
  • Waste Management  
  • Postal Services  

As a rule, an IE possesses 50 employees and produces an annual turnover of 10 million EUR or a balance sheet of the same amount.  

What are these new obligations?  

The requirements on providers (both member and non-member state providers) that service the EU include: 

Stricter risk management: Policies will be required for information system security, business continuity, incident handling, supply chain security, and risk management. Each of these must be assessed against organisations’ current processes and where required, the entity must ‘without undue delay’ take all necessary and appropriate measures to correct them. 

Enhanced incident notification requirements: NIS2 introduces strict rules for incident reporting. This includes the content, processing and drafting of reports. In addition to reporting to incident response teams, entities may be required to report incidents to their service users. Higher obligations may apply to ‘significant incidents’ which include phased notification, commencing with an early warning in the first 24 hours of becoming aware of a breach.  

Corporate Accountability: The managers of entities under the scope of NIS2 will be obliged to be trained on, approve, and oversee the organisation’s cybersecurity measures and to address cyber risks. Failure to meet these requirements may result in administrative sanctions and fines, including liabilities and the potential for temporary bans from management roles.  

Business Continuity: Organisations must plan for how they intend to ensure business continuity in the case of major cyber incidents. This plan should include the setting up of a crisis response team, system recovery and emergency procedures. 

ICT supply chains and supplier relations: NIS2 requires entities to address cybersecurity risks in their own ICT supply chains. This obligation will indirectly impact suppliers and vendors that provide products and/or services to entities within the scope of NIS2.  

Registration with supervisory authority: In-scope entities will need to assess their categorisation under NIS2 and, if applicable, register their information with their respective EU Member State authority. The timeline to do this is 17 April 2025, however, some essential entities will need to do this before 17 January 2025. 

In addition to the above overarching areas, the NIS2 mandates that both essential and important entities implement 10 baseline security measures. These are: 

  1. Risk Assessments and security policies for information systems. 
  2. Policies and procedures for evaluating the effectiveness of security measures.  
  3. Policies and procedures for the use of cryptography and, when relevant, encryption.  
  4. A plan for handling security incidents. 
  5. Cybersecurity training for stakeholders.  
  6. Security for the procurement of systems and the development and operation of those systems. This includes the reporting and handling of vulnerabilities.  
  7. Security procedures for employees with access to sensitive or important data, including relevant access policies. IE and EE organisations must have account of relevant assets.  
  8. Multi-factor authentication. 
  9. A plan for managing business operations during and after a security incident. Backups up to date and a plan for accessing IT systems during and after an incident. 
  10. Supply Chain security including assessments on the security level of suppliers.  

Supervisory authorities in EU Member States will gain several powers to enforce compliance, including inspections, targeted audits, security scans, information requests and data access requests.  

Following checks supervisory authorities may impose administrative sanctions including orders to cease conduct. Fines may be as high as 10 million EUR of 2% of worldwide annual turnover, depending on which is higher.  

Important Entities may face fines of up to 7 million EUR or 1.4% of their worldwide annual turnover, depending on which is higher.  

What is the UK’s Answer? 

In November 2022 the UK government published it proposal to improve the UK’s cyber resilience, expanding on the original NIS directive of 2018.  The reforms proposed by the UK focus on the providers of digital services. Under this proposal Managed Service Providers (MSPs) would be added to the list of regulated sectors under NIS in the UK that meet the following characteristics: 

  • they are supplied to a client by an external supplier, 
  • they involve regular and ongoing service management of data, IT infrastructure, IT networks and/or IT systems, 
  • they are categorised as business to business (B2B) rather than business to consumer (B2C) services, 

and 

  • their provision relies on network and information systems. 

This will apply to supply chain risk management assessments, organisations that will have to comply under this proposal are those that 

  • have privileged access or connectivity to a customer’s data, IT infrastructure, IT networks and/or IT systems, 

or 

  • perform essential or sensitive functions, such as the processing and/or storage of confidential or business-critical data. 

Actions to take: 

Using the above information, you firstly need to identify whether your business falls under NIS2 obligations. Once this is clear it is important to confirm which Member State’s cybersecurity laws will apply, this may include how they will implement the Critical Entities Resilience (CER) Directive that applies to physical security measures, and the Digital Operational Resilience Act.  

Once you are clear that you will be affected, you will need to create a roadmap to compliance.  

We would recommend starting by reviewing your organisation’s incident response, reporting policies and procedures. These should be reviewed and updated on a continual basis, with NIS2, evidencing adequate consideration of evolving threats will be important for compliance.  

Another crucial step is to review and update you risk management procedures. Risk management systems are most effective when they are bespoke to your operations and your needs. The need for these systems to be regularly updated is significant. NIS2 places a new expectation that risk management procedures are not only bespoke but also holistic and future facing. This also relates to the Third-Party Risk Management (TPRM) processes. Entities will increasingly need to adopt a ‘service-user first’ approach to evaluating vendor relationships and assessing threats.  

Finally, taking stock of your security posture including any of your known and unknown vulnerabilities is key.  

Understanding your company’s culture, ways of working, and ways of communicating will help to provide you with the knowledge to make informed security decisions. Digital Footprint Reviews, Security Reviews and Training are just some of the services you can access to identify and assess your position. This is the foundation of any effective security policy and risk mitigation measure.  

The NIS2 shows that the regulated cyber landscape is changing to one where a proactive security stance is not only valuable but required. Considering new regulatory changes and reassessing your security is incredibly necessary. The priority is no longer simply about staying safe but now goes further, requiring businesses to be active contributors to the safety of service users and the cyber environment. 

Using our converged security approach we have been privileged to work for clients, providing policy writing, risk management and resilience building across Physical, Digital, and Cyber risks. NIS2 compliance is just one of our capabilities, the others include the Digital Operational Resilience Act and the Critical Entities Resilience Act. 

If you think NIS2 will apply to you and you have further questions, or you have an area of concern, we would be happy to respond to any questions:  info@torosolutions.co.uk.