On 19 October 2024, the EU’s second Network and Information Security Directive (NIS2) focusing on cybercrime will be introduced, bringing new responsibilities for businesses and governments alike. Here, Jonathan Armstrong, Partner at Punter Southall Law and expert in compliance and technology law, sheds light on the implications of NIS2 for organisations operating in the EU and beyond.
Jonathan is a co-author of LexisNexis’ definitive work on technology law, “Managing Risk: Technology & Communications”, and a Professor at Fordham Law School, where he teaches a postgraduate course on international compliance.
He says, "As reliance on technology grows, so does the potential impact of cybersecurity failures. The recent cyber-attack on public Wi-Fi at 19 UK railway stations[ii] and the July 2024 global IT outage caused by cybersecurity firm, CrowdStrike[iii] demonstrate how quickly incidents can spiral, disrupting vital services like healthcare and transportation."
UK Government data[iv] also highlights the urgent need to tighten cybersecurity, revealing in April that half of all UK businesses (50%) experienced a cybersecurity breach or attack in the past year. For medium-sized enterprises, this figure climbs to 70%, and for large businesses, it's as high as 74%. But these figures may not even tell the whole story – often organisations don’t know that they have been breached and attacks can go undetected for months.
Jonathan says, “NIS2 builds on NIS1 which became national law in 2018 across the EU (including then the UK), but seeks to rectify areas of inconsistency, and provide more specific and defined requirements and applications, while also expanding the scope of the Directive and strengthening cybersecurity measures. Importantly, it also introduces personal liability for senior management, a key shift from NIS1.”
Key Aspects of NIS2:
- NIS2 applies to businesses and organisations (both public and private) categorised as ‘Essential’ or ‘Important’. Both categories have the same cybersecurity management and reporting requirements but are subject to different supervisory and penalty regimes.
- The Directive has extra-territorial scope, meaning that a wide range of technology providers, such as cloud service providers, online marketplaces, managed service providers, and social network platforms, will be subject to NIS2 if they offer services to EU Member States, regardless of where they are established. This will mean that many UK businesses will also have NIS2 compliance obligations.
Potential Penalties
Essential and Important entities must report any incident with significant impact on their services to a competent authority or CSIRT (Computer Security Incident Response Team) without undue delay. Failure to comply can lead to penalties, including:
- Administrative fines of up to €10 million or 2% of total worldwide annual turnover for essential entities.
- Administrative fines of up to €7 million or 1.4% of total worldwide annual turnover for important entities.
- Personal liability for senior management, with Member State authorities having the power to hold individuals responsible for breaches and even impose temporary bans on executives.
Impact on UK Businesses
Though the UK is no longer bound to implement NIS2 following Brexit, some UK entities with customers in the EU will be subject to the Directive. Managing compliance with multiple cybersecurity regimes may prove burdensome.
The UK government has also announced plans to update its own cybersecurity legislation, with a new Cyber Security and Resilience Bill outlined in the July 2024 King’s Speech. Armstrong notes that while the EU’s approach under NIS2 is more rigorous, UK businesses should be prepared for legislative changes that will also affect their operations.
Practical Tips for Businesses
Jonathan Armstrong offers the following advice for organisations preparing for NIS2 compliance:
- Evaluate services: Understand how NIS2 will impact the services your business offers.
- Update processes: Revise procedures to meet NIS2 reporting obligations, which have tighter deadlines and different regulatory bodies than GDPR.
- Train staff: Ensure that members of the management body receive mandatory cybersecurity training.
- Rehearse incidents: Regularly rehearse cybersecurity incidents to ensure a swift and effective response.
- Amend supplier contracts: Review and adjust contracts with suppliers to align with NIS2 requirements.
- Review technical and organisational measures: Ensure the measures your organisation deploys are robust enough to maintain security.
- Board engagement: Inform the board and audit committee about increased liability and ensure they understand NIS2 and cybersecurity risks.
- Update risk register: Reflect NIS2 obligations and increased personal liability provisions in your risk management framework.
Jonathan concludes, “The scope and application of NIS2 is complex, with different obligations for various categories of in-scope entities. Organisations should seek specialist advice to ensure they fully understand how NIS2 applies to them.”