Is your organisation ready for NIS 2?

What is the NIS Directive?

The Network Information Systems (NIS) Directive aims to improve the cyber security and resilience capability of organisations that contribute towards Critical National Infrastructure. This regulation came into force on the 10th May 2018 and was transposed into UK legislation through the NIS Regulations 2018. The NIS regulation required in-scope entities (Operators of Essential Services (OES) and Relevant Digital Service Providers (DSPs)) to abide by the requirements set, and required an annual compliance self-assessment against the requirements of the NIS Directive, which was then submitted to the relevant Competent Authority.

What were the requirements of NIS1?

The NIS Regulations 2018 requires in-scope organisations to:

• “Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.”^[1]
• “Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of an essential service, with a view to ensuring the continuity of those services.”^[2]
• “Notify the designated Competent Authority about any incident which has a significant impact on the continuity of the essential service.”^[3]
  

What does this mean in practice?

• In the UK, organisations are to be guided by the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF), but are not required to be assessed against it.
• Competent Authorities have a significant degree of ability to define what are considered appropriate and proportionate measures.
• If a Competent Authority believes that an organisation is an OES, the NIS Regulations contain powers that enable the Competent Authority to acquire the necessary information from the organisation to determine if it is an OES. If deemed that they meet the threshold requirements to be an OES, the Competent Authority has to formally designate the entity as an OES. Until receiving a formal designation from the Competent Authority, an organisation is not required to comply with NIS.
  • However, if an OES is not sure if they are in scope of the NIS directive, it is the organisation’s responsibility to contact the Competent Authority to receive clarification.
• As an OES (in the transport, energy, water, health, and digital infrastructure sectors) organisations are able to appeal against the following decisions by a Competent Authority^[4]:
  
  • designate that person as an OES
  • revoke the designation of that OES
  • serve an enforcement notice on that OES
  • serve a penalty notice on that OES
• As a relevant DSP under the NIS regulations, organisations are able to appeal against the following decisions by the Information Commissioner’s Office to serve
  
  • an enforcement notice on that relevant DSP
  • penalty notice on that relevant DSP
    

What is EU NIS 2?

EU NIS 2 is proposed to have more stringent supervision measures (and subsequently greater fines than the first iteration) and strengthen requirements in regards to supply chain security, accountability of company management for risk-management compliance and more streamlined incident reporting provisions. The Council and European Parliament have agreed on the NIS 2 directive, which means it will shortly be approved and entered into force.

EU NIS 2 will also remove the distinction between OESs and relevant DSPs, instead replacing these with two categories - essential entities and important entities - whether an organisation is considered essential or important depends on the size of the company (defined within the Directive^[5]), and whether they fall under a critical or very critical sector (also defined within the Directive). Sectors of high criticality include energy, transport and health to name a few.

As part of NIS 2, the scope has been expanded to include more sectors and services, more specific detail of what types of organisations will be included in the below categories is expected to be published soon.

These include:

• Providers of public electronic communications networks or services
• Digital services such as social networking services platforms and data centre services
• Waste water and waste management
• Space
• Manufacturing of certain critical products (such as pharmaceuticals, medical devices and chemicals)
• Food
• Postal and courier services
• Public administration

What will NIS 2 look like in the UK?

The UK will not be implementing EU NIS 2, but is planning its own NIS changes which are expected in 2024.

The main changes expected to be seen in the UK’s NIS changes includes:

• More regulation of managed service and digital service providers - e.g. inclusion of providers of social networking services platforms.
• Regulation of critical suppliers to operators of essential services in more sectors (e.g. major GP IT providers for operators of essential services) by Competent Authorities.
• Organisations that provide critical services across multiple sectors will be regulated by one Competent Authority, which will be agreed by the Government.
• Lowering the threshold of the type of incidents regulated organisations must report to their respective Competent Authority. The specifics of this are to be confirmed, but it is suspected that these will be incidents that may have affected servers, resilience or security in any way.

How will EU NIS 2 affect your organisation?

The changes proposed by EU NIS 2 will not be followed or mirrored by the UK, which means that they will not apply to organisations who are operators of essential services solely within the UK, but will apply to organisations who operate essential services within the EU. Please note that there is likely to be territorial differences in the application of NIS 2 within EU territories, which is yet to be confirmed.

Managing compliance to differing regulatory requirements poses many challenges and needs to be approached in a manner that facilitates efficient compliance. This can be achieved through the development of a unified compliance framework that comprises the regulatory obligations that an organisation has to comply with. A unified compliance framework ensures efficient compliance by way of measuring compliance against one framework but complying with obligations imposed by numerous regulations.

How can PwC help?

We can support you by providing a compliance readiness diagnostic which will provide you with an:

• Understanding of your organisation’s cyber security maturity in relation to NIS 2 requirements in order to identify the current gaps and your organisation’s awareness requirements in order to facilitate the
• Developing of a roadmap to address them before October 2024, and
• Building a defensible compliance position.

Our specialist Cyber Incident Response team is certified under the NCSC CIR scheme and are able to offer a NIS Directive aligned incident response retainer as an optional service. This will give OESs and relevant DSPs confidence that the NIS reporting standards and guidelines will be met and rapid and effective support will be there in the event of a notifiable incident.