The Network and Information Systems (NIS) Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. For the last 2 years this has served as a foundation for good cyber hygiene which was only applicable to Operators of Essential Services (OES).
During 2020 we became depended on more essential services due to COVID-19, realising that not only did we need power, water, healthcare and digital services to work remotely, but other forms of transportation were essential to move goods around as well. Food and beverage production increased as well as our reliance on other sectors often overlooked such as manufacturing, the supply chain for medical devices, pharmaceutical and wider logistical operations such as postal service to mention a few.
Review of the NIS Directive
Article 23 of the Directive requires the European Commission to review the functioning of this Directive periodically. As part of its key policy objective to make “Europe fit for the digital age” the Commission announced in its Work Programme 2020 that it would conduct the review by the end of 2020.
NIS Directive V2
As a result of the review process, the new legislative proposal concluded on 16th December 2020. The proposal is part of a package of measures to improve further the resilience and incident response capacities of public and private entities. The new EU cyber strategy confirms that a revised NIS Directive is necessary to increase the level of cyber resilience across all relevant sectors “that perform an important function for the economy or society” and to reduce inconsistencies across the internal market by aligning scope, security and incident reporting requirements, national supervision and enforcement. These include:
- More stringent supervision measures and enforcement are introduced
- A list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations is established
- Establishment of European Cyber crises liaison organisation network (EU- CyCLONe) to support coordinated management of large-scale cybersecurity incidents and crises at EU level
- Increased information sharing and cooperation between Member State authorities with enhanced role of the Cooperation Group
- Coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU is established
Cybersecurity risk management
- Strengthened security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption
- Cybersecurity of supply chain for key information and communication technologies will be strengthened
- Accountability of the company management for compliance with cybersecurity risk-management measures
- Streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline
Read more from the European Commission
Sectors that perform an important function for the economy or society
What does this mean for UK companies?
The government has posted details on 30th December 2020 for guidance on NIS regulations for UK digital and non UK digital service providers on their website. The links are below for further reading
It is unclear at this point in time how NIS2 regulations will affect the UK in other areas, however these proposals have been passed before the formal leave date of the 31/12/2020. If these changes come into effect then this will include a number of sectors that were previously not covered by the original NIS directive. If 2020 has taught us anything it's that we can adapt to change quickly and bounce back.
According to global legal law firm White and Case, they cite “Perhaps unsurprisingly, the UK Government has confirmed that the NIS Regulations will continue to apply in the UK after Brexit".
“In practice, unless and until the NIS Regulations are repealed, the essential requirements of the NIS Directive will continue to apply to in-scope organisations in the UK through the application of the NIS Regulations".
What does seem to be clear is that through the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 is that “These amendments include the removal of obligations on the regulatory authorities and the National Cyber Security Centre (NCSC) to liaise, co-operate and share information with the European and authorities in other Member States. Where appropriate, co-operation and information sharing could still be conducted. NCSC is designated as the computer security incident response team and single point of contact under the NIS Regulations".
Business as usual
As the fallout from Brexit continues so will come clearer guidance on the UK’s pathway into the global and EU market and how UK PLC will address the security needs for a digital United Kingdom. For now, we continue with business as usual.
SolutionsPT will continue to track and monitor the changes to the NIS directive to ensure that we can deliver the appropriate advice and guidance to our customers. The changes that the EU are making to the NIS directive is proportionate in many ways to address the changing threat landscape and the reliance on essential businesses over and above those that originally indicated in the first directive.
In discussions that we have had with the UK National Cyber Security Centre (NCSC) they have already indicated that food and beverage along with strong transportation and logistics were verticals of interest along with UK datacentres.
2021 is continuing to be challenging and we’re now entering another total lockdown like we saw in March 2020, the need for robust and secure digital services along with stable remote access is paramount.
Happy new year everyone!