Improving cybersecurity for essential services and infrastructure is high on the agenda for the UK’s and the EU’s legislators, in response to the ever-evolving threat landscape. The UK’s and the EU’s respective network and information systems or NIS regimes, while both to be strengthened (including by bringing managed service providers into scope), look to be diverging.
Some fear that this may lead to inconsistent cybersecurity standards. In-scope organisations operating in both the UK and EU will need to monitor developments in relation to each regime and their suppliers should prepare for increased due diligence. This briefing looks at some of the potential differences and their likely impact in practice.
- What is NIS and why is the legislation being changed?
- Changes to the scope of the NIS legislation in the EU and the UK
- What security measures will in-scope organisations have to implement to comply?
- Will organisations be able to take a similar approach to incident reporting for the EU and the UK?
- Supervision and enforcement of the NIS regimes
- Implementation timetable
- The impact of divergence
1. What is NIS and why is the legislation being changed?
NIS stands for “network and information systems”. These have become central to everyday life, with a huge increase in digitalisation, interconnectedness of society and cross-border data exchanges. A corresponding surge in the number and sophistication of cyberattacks threaten those systems, a situation which has been exacerbated by the geopolitical climate, including the pandemic and the conflict in Ukraine.
In very broad terms, the current NIS regimes in the EU and the UK essentially require in-scope organisations to adopt appropriate security measures to protect against cyber threats, including monitoring, auditing and testing, together with specific procedures to report and respond to security breaches. Both the UK and the EU recognised the need to adapt their respective NIS legislation to respond to the changing threat landscape.
What is changing and why?
In the EU, the NIS2 Directive will replace the EU’s current directive on security of network and information systems (NIS1) and cover new sectors. Meanwhile, the UK Government announced on 30 November 2022 that it is pressing ahead with its proposals to improve the UK’s cyber resilience, including by extending the existing scope of the Network and Information Systems Regulations 2018 (NIS Regulations) to regulate managed IT service providers. Following Brexit, the UK is no longer required to follow the NIS2 Directive and although it could choose to follow the EU’s approach, it does not appear minded to do so – hence the concerns over divergence.
Background to the changes
The European Commission decided in 2020 that NIS1, which allowed wide discretion to Member States, required revision: the different implementation approaches by Member States had led to significant inconsistencies and fragmentation in the regulatory landscape. NIS2 is intended to reduce divergence, as well as increase co-operation between responsible authorities in Member States.
The UK, which transposed NIS1 into national law through the NIS Regulations, will not be required post Brexit to implement NIS2 and is separately updating its legislation. In January 2022, the UK Government launched a public consultation on proposals to improve the UK’s cyber resilience, to include seven policy measures, split across two pillars, the first pillar to amend provisions relating to digital service providers, the second to future-proof the NIS Regulations.
2. Changes to the scope of the NIS legislation in the EU and the UK
The EU’s NIS2 scope increases are more far-reaching than those currently proposed by the UK Government, although both regimes will be extended to cover managed service providers. The UK Government also plans to give itself the power under new legislation to bring other sectors and organisations into scope (although concedes that this should be made subject to further safeguards).
Extended scope of NIS2
The EU’s NIS2 Directive scope is significantly wider than NIS1. NIS2 scraps the categories of “operators of essential services” and “digital service providers”, replacing them with two categories, “essential entities” and “important entities”, to include medium and large organisations (NIS2 introduces a size-cap rule, but with some exceptions for certain entities that are within scope irrespective of their size) operating in the following sectors:
- “essential entities”: energy; transport; banking; financial markets infrastructure; health; drinking water and wastewater; digital infrastructure (such as cloud service providers, data centre service providers, trust service providers, content delivery networks, and public electronic communications networks and services); ICT service management; public administration; space; and
- “important entities” (which are subject to lesser oversight than essential entities): postal and courier services; waste management; the manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers (such as providers of online marketplaces, online search engines and social networking services platforms) and research.
Managed service providers are to be caught by the “ICT service management” category.
Proposed scope change to the UK’s NIS Regulations
The most important change that the UK Government plans to make to the scope of the UK’s NIS Regulations (supported by the majority of respondents to the consultation) is to expand the regulation of digital service providers (currently limited to search engines, online marketplaces and cloud computing service providers) to include “managed service providers”.
In response to feedback from its January 2022 consultation, the UK Government has clarified that “managed service providers” will only catch services with all of the following characteristics. Those services must:
- be provided by one business to another business (i.e. to a third party, not internally-provided services or business-to-consumer services);
- relate to the provision of IT services, such as systems, infrastructure, networks and/or security, e.g. IT outsourcing services (ITO); service integration and management (SIAM); application management; managed security operations centres (SOC); security monitoring (SIEM); threat and vulnerability management (TVM). This takes non-IT services, such as business processing outsourcing (e.g. HR and payroll) out of scope;
- rely on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties; and
- provide regular and ongoing management support (ad hoc IT consultancy and software development is therefore out of scope).
Traditional data centres (i.e. those which are not already regulated as cloud service providers) are not currently in scope but the Government has said that this is to be kept under review.
3. What security measures will in-scope organisations have to implement to comply?
Seeking to harmonise requirements across Member States, NIS2 will leave less discretion to Member States than its predecessor, setting out minimum rules for regulatory frameworks and establishing more stringent cybersecurity measures that must be implemented. It requires in-scope entities to implement “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services” in connection with a list of specified matters, such as incident handling, business continuity, supply chain security, encryption, access control, the use of multi-factor authentication, and vulnerability handling and disclosure. NIS2 will impose responsibilities on “management bodies” of essential and important entities to approve cybersecurity measures and supervise their implementation; management may also be held liable (as well as temporarily banned) if the organisation does not comply with cybersecurity requirements.
The UK will take a different (more flexible) approach. Competent authorities responsible for regulating each sector will continue to set the cybersecurity measures which regulated entities will have to implement. The UK Government also sees “outcomes focused tools such as the Cyber Assessment Framework (as providing) a measure of flexibility for companies“.
Spotlight on supply chains
The proposed changes to the EU and UK legislation reflect the fact that cyberattacks frequently compromise an organisation’s network and information systems security by exploiting vulnerabilities in that organisation’s supply chain. In addition to regulating managed service providers directly (see section 2 above):
- Under NIS 2, regulated entities must also take their supply chains into account in their security measures, including considering specific suppliers’ vulnerabilities and the overall quality of their products and cybersecurity practices. Suppliers should therefore be prepared for increased due diligence from their in-scope NIS2 customers concerning their cybersecurity practices and information security policies (and for security provisions in contractual arrangements to be bolstered).
- In the UK, the Government proposes to create a new power to designate critical suppliers or services, on which existing essential and digital services depend, bringing other key parts of the supply chain directly into the scope of the NIS Regulations. The Government acknowledges that this aspect of its proposed reforms needs fleshing out further – the designation process in particular.
4. Will organisations be able to take a similar approach to incident reporting for the EU and the UK?
Both NIS2 and the UK Government’s proposals entail more stringent incident reporting requirements but the EU’s reporting regime will be more onerous than that in the UK.
Incident reporting comparison
Under NIS2 notification of any “significant incident” must be made without undue delay via a staged process to the relevant competent authority or national Computer Security Incident Response Team (CSIRT) (an incident is considered “significant” if it has caused, or is capable of causing, substantial operational disruption or financial losses to the entity; or the incident has affected or is capable of causing considerable losses to others). An initial notification (or “early warning”) must be made at the latest within 24 hours of becoming aware of the incident, a second report within 72 hours, and a final report within one month of the second report.
The UK Government intends to change the reporting duties of in-scope organisations to capture not only incidents that disrupt service, but also those that pose a high risk to, or significantly impact the service, even though they don’t immediately disrupt it. However, it acknowledged that the precise circumstances in which reporting will be required need to be clarified (supplemented by guidance from regulators). There has been no indication that the existing 72 hour reporting deadline will be changed.
5. Supervision and enforcement of the NIS regimes
Under NIS2, different rules apply to “essential entities” and “important entities” for cybersecurity breaches. Essential entities are subject to fines of €10m or, if higher, 2% of the total annual global turnover. Important entities are subject to a maximum fine of €7m or, if higher, 1.4% of the total annual global turnover of the undertaking in the previous financial year. Essential entities may also be subject to proactive oversight, such as strict audits, including on and off-site inspections, whereas investigations of important entities are only carried out on a reactive basis, e.g. if the supervisory authority receives information that an important entity is suspected of non-compliance with NIS2.
The UK also proposed a two-tiered approach to digital service provider supervision – a proactive supervisory regime for the most critical digital services and a reactive one for the rest. In response to consultation feedback, the government is considering whether a more flexible, risk-based assessment would work better. It plans to implement these changes through non-legislative means (i.e. the ICO is to produce and update guidance on how it will regulate digital services).
There is currently no indication that the UK reforms will increase the penalties for non-compliance above the current £17m limit.
6. Implementation timetable
NIS2 came into force on 16 January 2023 and must be implemented by Member States by 17 October 2024.
The timeframe for changing the NIS Regulations, subject to the finding “a suitable legislative vehicle” to do so, is less clear and will be made “as soon as parliamentary time allows”. An updated regime is unlikely to be in place before 2024.
A difference in the timing of implementation is likely to increase costs to some extent, as businesses active in both the UK and the EU will need to allocate time and resources to compliance exercises on two occasions rather than one.
7. The impact of divergence
Cybersecurity threats do not respect international borders – an attack on a “weak link” in one territory can have repercussions for citizens and businesses in another, regardless of whether they are in the EU or in the UK. In a highly interconnected world, if one country adopts a substantially weaker regulatory regime in pursuit of competitive advantage, this may bring jobs and investment but at the cost of increasing the overall level of cyber-risk – with a corresponding negative impact on the wider economy.
Revising NIS1 will address sub-optimal implementation in one Member State negatively impacting cybersecurity in another. The UK’s National Cyber Strategy also recognises that threats to the UK’s cybersecurity cannot be tackled effectively without international cooperation…
Technology supply chains and critical dependencies are increasingly global, cyber criminals and state-based actors operate from around the world, powerful technology companies export products and set their standards, and the rules and norms governing cyberspace and the internet are decided in international fora
Government Cyber Security Strategy 2022–2030
…but the UK Government also aims for cyber power for the UK in support of national goals, to provide the UK with a competitive edge in the international arena. Despite some disquiet expressed in feedback to the UK Government’s consultation about potential divergence between the UK and EU’s approach to NIS, the UK Government has clearly stated that it intends to forge its own path:
Given that the UK is no longer bound by EU legislation and will not be implementing NIS 2.0 there will be differences between the EU and the UK. The UK’s legislation is designed for the UK economy and to maximise benefits to the UK
Government response to the call for views on proposals to improve the UK’s cyber resilience, GOV.UK
Is divergence worth it?
The UK Government might argue that its more flexible, risk-based approach (leaving much of the detail to secondary legislation and regulator guidance) can achieve the same results but at a lower cost to business. However, any organisations that are “essential” or “important” entities with customers across the UK and the EU will need to comply with NIS2 in any event. As such, the space for the UK to gain competitive advantage from a divergent approach may be somewhat limited – and if the UK diverges significantly from the EU’s approach, those same businesses will face extra costs from having to comply with two substantially different sets of rules. Given the UK Government’s aim to “minimise regulatory burdens”, it is to be hoped that it will be cognizant of this risk.
A more positive way of viewing the UK’s approach is that if it can prove that its regulatory regime is superior to that of the EU (i.e. it achieves broadly the same objectives but at lower cost to business), the latter might be persuaded to adopt it in future – in which case a degree of ongoing regulatory “competition” with the EU could, in the long run, prove to be a good thing for both sides. However, for this strategy to be effective, the UK really needs to be “getting out in front” of the EU when it comes to regulation and leading by example. In this case (as in a fair number of other areas), it is the EU which is in the lead in terms of updating its cybersecurity regime, with the UK somewhat belatedly following suit – having largely missed the opportunity to influence NIS2 in what it would see as a more positive direction.
Of course, there’s unlikely to be a uniform approach across the EU either. While NIS2 seeks to achieve a higher level of harmonisation than the current rules, it does not preclude Member States from adopting provisions ensuring a higher level of cybersecurity, provided that such provisions are consistent with their obligations under EU law, so in the EU too there is likely still to be some divergence between Member States.
What about other, related sectors such as financial services?
There is also a need for coordination with regulation outside the scope of the NIS regime, particularly in the financial services sector. In the UK, the Government will need to work closely with the Financial Conduct Authority and Bank of England, and their proposals relating to critical third parties in the financial sector aimed at managing the risks associated with supplier failure and concentration risk. The EU has sought to align NIS2 with the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to ensure coherence between NIS2 and those acts.
Spotlight on Better Regulation series
This is the fourth in a series of briefings on regulatory reform and better regulation across a range of different sectors, entitled Spotlight on Better Regulation. So far, we have discussed:
You can also use our Regulatory Reform portal to check for the latest updates on changes to regulation across all areas on which we advise.