Changes to EU and UK NIS Cyber Security Legislation
Changes to the Directive on Security of Network and Information Systems
The European Parliament has agreed on the concept of a new security law, the Directive on Security of Network and Information Systems (NIS 2). The UK also has plans to update its existing NIS
The existing NIS legislation exists as EU law and in the UK as the NIS Regulations 2018. The EU now plan an updated NIS 2 which will be more wide ranging in scope.
It might be best to not call the new EU legislation a cyber security law as it extends to essential service providers. This would include digital data services, health care providers, pharmaceuticals, food chain suppliers, social networks amongst other industries. The details of the legislation are still in draft form even when it is adopted by the EU Parliament member states will have 21 months to integrate it with their National laws.
Targeted organisations will be subject to inspections, audits and requests for information on the security procedures in place together with data on how these procedures are policed. Any incidents must be notified within 24 hours with a more detailed report submitted to authorities within 72 hours. Potential penalties for non-compliance would be fines of up to 10 million Euros or 2% of a company’s annual turnover, whichever is the higher.
The UK is not planning a parallel set of security measures but will retain the NIS Regulations 2018. A UK review of the 2018 NIS implementation after 2 years as law concluded that the costs to business (especially in the public sector) were outweighed by the savings from potential data loss and disruption. A public consultation on how the existing cyber legislation might be updated closed in April 2022.
The proposed new measures to update the NIS in the UK were:
- Expand the scope of ‘digital services’ to include ‘managed services’;
- Apply a two-tier supervisory regime for all digital service providers: a new proactive supervision tier for the most critical providers, alongside the existing reactive supervision tier for everyone else;
- Create new delegated powers to enable the government to update the regulations, both in terms of framework but also scope, with appropriate safeguards;
- Create a new power to bring certain organisations, ones that entities already in scope are critically dependent on, within the remit of the NIS Regulations;
- Strengthen existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents;
- Extend the existing cost recovery provisions to allow regulators (for example, Ofcom, Ofgem, and the ICO) to recover the entirety of reasonable implementation costs from the companies that they regulate.
Note that there would be some scope to extend where the law applies but only to ‘managed services’. These would include security monitoring, incident response, network support services and business processing outsourcers amongst others. This list is not as encompassing as the EU NIS 2 proposal; pharmaceutical and food chain providers for example are not specifically included.
Legislation such as the NIS cannot in itself make computer systems more secure. By setting security standards and having the means to enforce them organisations are forced to become more cyber aware. Management may see a trade-off between the potential cost of a data breach and the investment needed to minimise that risk. With a system of fines and reporting there will be fines for systems deemed at risk even if no incident takes place. Of course if bad things do happen; any fines for not abiding to the legislation will be in addition to the costs of any data loss.
Although the pace of introduction for new legislation may seem glacial this does allow time for organisations to plan, prepare and minimise the costs of compliance. Kindus can advise on how new and existing legislation will impact on business, ensuring ongoing compliance and optimal system security.