The Network and Information Systems (NIS) Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. For the last 2 years this has served as a foundation for good cyber hygiene which was only applicable to Operators of Essential Services (OES).
During 2020 we became depended on more essential services due to COVID-19, realising that not only did we need power, water, healthcare and digital services to work remotely, but other forms of transportation were essential to move goods around as well. Food and beverage production increased as well as our reliance on other sectors often overlooked such as manufacturing, the supply chain for medical devices, pharmaceutical and wider logistical operations such as postal service to mention a few.
Article 23 of the Directive requires the European Commission to review the functioning of this Directive periodically. As part of its key policy objective to make “Europe fit for the digital age” the Commission announced in its Work Programme 2020 that it would conduct the review by the end of 2020.
As a result of the review process, the new legislative proposal concluded on 16th December 2020. The proposal is part of a package of measures to improve further the resilience and incident response capacities of public and private entities. The new EU cyber strategy confirms that a revised NIS Directive is necessary to increase the level of cyber resilience across all relevant sectors “that perform an important function for the economy or society” and to reduce inconsistencies across the internal market by aligning scope, security and incident reporting requirements, national supervision and enforcement. These include:
Greater Capabilities
Cooperation
Cybersecurity risk management
Read more from the European Commission
The government has posted details on 30th December 2020 for guidance on NIS regulations for UK digital and non UK digital service providers on their website. The links are below for further reading
https://www.gov.uk/guidance/nis-regulations-uk-digital-service-providers-operating-in-the-eu
https://www.gov.uk/guidance/nis-regulations-non-uk-digital-service-providers-operating-in-the-uk
It is unclear at this point in time how NIS2 regulations will affect the UK in other areas, however these proposals have been passed before the formal leave date of the 31/12/2020. If these changes come into effect then this will include a number of sectors that were previously not covered by the original NIS directive. If 2020 has taught us anything it's that we can adapt to change quickly and bounce back.
According to global legal law firm White and Case, they cite “Perhaps unsurprisingly, the UK Government has confirmed that the NIS Regulations will continue to apply in the UK after Brexit".
“In practice, unless and until the NIS Regulations are repealed, the essential requirements of the NIS Directive will continue to apply to in-scope organisations in the UK through the application of the NIS Regulations".
What does seem to be clear is that through the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 is that “These amendments include the removal of obligations on the regulatory authorities and the National Cyber Security Centre (NCSC) to liaise, co-operate and share information with the European and authorities in other Member States. Where appropriate, co-operation and information sharing could still be conducted. NCSC is designated as the computer security incident response team and single point of contact under the NIS Regulations".
https://www.legislation.gov.uk/uksi/2019/653/pdfs/uksiem_20190653_en.pdf
As the fallout from Brexit continues so will come clearer guidance on the UK’s pathway into the global and EU market and how UK PLC will address the security needs for a digital United Kingdom. For now, we continue with business as usual.
SolutionsPT will continue to track and monitor the changes to the NIS directive to ensure that we can deliver the appropriate advice and guidance to our customers. The changes that the EU are making to the NIS directive is proportionate in many ways to address the changing threat landscape and the reliance on essential businesses over and above those that originally indicated in the first directive.
In discussions that we have had with the UK National Cyber Security Centre (NCSC) they have already indicated that food and beverage along with strong transportation and logistics were verticals of interest along with UK datacentres.
2021 is continuing to be challenging and we’re now entering another total lockdown like we saw in March 2020, the need for robust and secure digital services along with stable remote access is paramount.
Happy new year everyone!
#solutionspt #otsecurity #otcybersecurity