Changes to EU and UK NIS Cyber Security Legislation

Changes to the Directive on Security of Network and Information Systems

The European Parliament has agreed on the concept of a new security law, the Directive on Security of Network and Information Systems (NIS 2). The UK also has plans to update its existing NIS

The existing NIS legislation exists as EU law and in the UK as the NIS Regulations 2018.  The EU now plan an updated NIS 2 which will be more wide ranging in scope.

It might be best to not call the new EU legislation a cyber security law as it extends to essential service providers.  This would include digital data services, health care providers, pharmaceuticals, food chain suppliers, social networks amongst other industries.  The details of the legislation are still in draft form even when it is adopted by the EU Parliament member states will have 21 months to integrate it with their National laws.

Targeted organisations will be subject to inspections, audits and requests for information on the security procedures in place together with data on how these procedures are policed.  Any incidents must be notified within 24 hours with a more detailed report submitted to authorities within 72 hours. Potential penalties for non-compliance would be fines of up to 10 million Euros or 2% of a company’s annual turnover, whichever is the higher.

The UK is not planning a parallel set of security measures but will retain the NIS Regulations 2018.  A UK review of the 2018 NIS implementation after 2 years as law concluded that the costs to business (especially in the public sector) were outweighed by the savings from potential data loss and disruption.  A public consultation on how the existing cyber legislation might be updated closed in April 2022.

The proposed new measures to update the NIS in the UK were:

  • Expand the scope of ‘digital services’ to include ‘managed services’;
  • Apply a two-tier supervisory regime for all digital service providers: a new proactive supervision tier for the most critical providers, alongside the existing reactive supervision tier for everyone else;
  • Create new delegated powers to enable the government to update the regulations, both in terms of framework but also scope, with appropriate safeguards;
  • Create a new power to bring certain organisations, ones that entities already in scope are critically dependent on, within the remit of the NIS Regulations;
  • Strengthen existing incident reporting duties, currently limited to incidents that impact on service, to also include other significant incidents;
  • Extend the existing cost recovery provisions to allow regulators (for example, Ofcom, Ofgem, and the ICO) to recover the entirety of reasonable implementation costs from the companies that they regulate.

Note that there would be some scope to extend where the law applies but only to ‘managed services’.  These would include security monitoring, incident response, network support services and business processing outsourcers amongst others.  This list is not as encompassing as the EU NIS 2 proposal; pharmaceutical and food chain providers for example are not specifically included.

Legislation such as the NIS cannot in itself make computer systems more secure.  By setting security standards and having the means to enforce them organisations are forced to become more cyber aware.  Management may see a trade-off between the potential cost of a data breach and the investment needed to minimise that risk.  With a system of fines and reporting there will be fines for systems deemed at risk even if no incident takes place.  Of course if bad things do happen; any fines for not abiding to the legislation will be in addition to the costs of any data loss.

Although the pace of introduction for new legislation may seem glacial this does allow time for organisations to plan, prepare and minimise the costs of compliance.  Kindus can advise on how new and existing legislation will impact on business, ensuring ongoing compliance and optimal system security.

More from Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories