By Patrick Hill & Stuart Hunt

|

Published 30 January 2023

Overview

Continued and increased risk of cyber incidents affecting critical infrastructure and generating significant financial losses has been at the forefront of legislators’ considerations for some time.  In the European Union, a package of reforms aims to strengthen cybersecurity measures across network systems, connected products and the financial sector.

As part of that package, the NIS 2 Directive (the “Directive”) aims to address the “inherent shortcomings that prevented [the now-repealed 2016 NIS Directive] from addressing effectively current and emerging cybersecurity challenges.

Following approval from the European Parliament and Council in November 2022, the Directive was published in the Official Journal on 14 December 2022. Member States have until 18 October 2024 to apply measures needed to comply with the Directive.

In broad policy terms, the Directive seeks to improve divergences that existed between Member States in respect of cybersecurity and resilience by setting out:

  • minimum rules for a functioning and coordinated regulatory framework;
  • updating the sectors and activities subject to cybersecurity obligations, and
  • effective remedies and enforcement measures in respect of those obligations.

Member States

Scrutinising the specifics of the Directive, Member States are required to adopt national cybersecurity strategies. These strategies include governance frameworks, mechanisms for identifying risks and plans for increasing awareness of cybersecurity risks amongst citizens.

Member States will also be required to designate one or more competent authorities responsible for cybersecurity, with a single point of contact nominated to act as liaison for cross-border and cross-sector cooperation within that Member State.  

Cyber crisis management authorities must also be created, as well as the adoption of nationwide cybersecurity and crisis response plans.  One or more computer security incident response team (CSIRT) must be established by a competent authority, and be provided with adequate resources to deal with the tasks assigned, including monitoring cyber threats, vulnerabilities and incidents, providing early warnings and responding to incidents.

Member States will also be expected to ensure the competent authorities undertake supervisory and enforcement measures on organisations in scope. The measures necessary are dependent on the categorisation of an organisation as ‘essential’ or ‘important’, but can include warnings, binding instructions or, if necessary, temporary suspensions of activities or services provided.

In addition, organisations which breach the cybersecurity risk-management measures (Article 21) or reporting obligations (Article 23) may be subject to fines of €7million or 1.4% of annual worldwide turnover for important entities, or €10 million or 2% of annual worldwide turnover for essential entitles.

Businesses

The Regulation brings new sectors within scope, as well as requiring new compliance measures. Energy providers, transport organisations, banking, financial and digital infrastructure all fall under the Regulation. In addition, food manufacture, production and distributions is also within scope, alongside waste management, chemicals, manufacturing and postal services.

Categorised as either ‘essential entities or ‘important entities’, the supervision and enforcement of organisations within scope will be differentiated. Member States will be required to maintain updated information on the organisations.

At a general level, these organisations will be required to take “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to [their] security of network and information systems.” These measures are expected to include, at minimum, policies on risk analysis, information system security, and incident handling.  Business continuity, crisis management and basic cyber hygiene / cybersecurity practices must also be considered. Where appropriate, multi-factor authentication or continuing authentication solutions must be included.

On the issue of supply chain security, the Directive states that organisations must “take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers.

In order to ensure that the above measures are undertaken, the management bodies of those organisation must approve and oversee implementation. If the organisations fail to comply, then the individuals forming the management bodies “can be held liable for infringements.

Incident reporting

In the event that a ‘significant incident’ occurs impacting on the services provided by an organisation then reporting obligations will trigger. Article 23 defines significant incidents as causing “causing severe operational disruption of the services or financial loss for the entity,” or “affecting other natural or legal persons by causing considerable material or non-material damage.

Such an incident must be reported within 24 hours to the CSIRT with any suspicions of malicious or unlawful acts with cross-border implications. This must be updated after 72 hours with an initial assessment of severity, impact and indicators of compromise. A final report should be submitted within one month thereafter, unless the incident is ongoing, at which time a progress report should be submitted instead. Status updates may also be requested by CSIRT or the competent authority if sought.

UK regulatory position

The UK Government made clear as part of its Cyber Strategy that strengthening cyber security measures was necessary, including updating the Network and Information Systems Regulations 2018,.  Following a consultation in late 2022, the Government confirmed that updates to the  NIS Regulations would be made. These changes include bringing managed service providers within scope of the NIS, enhancing cyber incident reporting and creating an enforcement system to allow for costs recovery.

The proposed changes will be implemented as soon as Parliamentary time allows.

Authors