Spotlight on NIS and NIS2

In both the UK and the EU, managed service providers such as IT outsourcing service providers will be brought into scope of the regulations.

Looking only at the UK, the Government will have the power to bring other sectors into scope more easily, having recently consulted on plans to require flexible energy providers and data centre operators to comply with NIS. In addition, recognising the systemic risks posed by the reliance on key third party suppliers to the UK’s critical national infrastructure, the Government will also have the power to designate certain suppliers or services on which existing essential and digital services depend as critical, meaning they too would fall under the remit of the NIS regulations. This comes as the financial services sector, which is not regulated under NIS in the UK, faces additional regulatory requirements in the form of PS2/21 and the Financial Services and Markets Bill aimed at managing the risks associated with supplier failure, service deterioration and concentration risk. NCC Group hopes to see the two regulatory agendas aligned and will be engaging with competent authorities to advocate a 'Resilience by Design' approach.

In the EU, there will be a significant widening of the scope, with organisations in several additional sectors deemed “essential” including space, waste water, public administrations (with some exceptions), data centre service providers, trust service providers, content delivery networks, and public electronic communications networks and services. Other critical sectors, such as postal services, chemicals and manufacturing of key products, will also have to comply with the regulations (known as “important” entities), but will be subject to less regulatory oversight than the entities that are classed as “essential”.

While under the old NIS directive member states were responsible for determining which entities would meet the criteria to qualify as operators of essential services, the new NIS2 directive introduces a size-cap rule. This means that all medium-sized and large entities operating within the sectors or providing services covered by the directive will fall within its scope. In some of the affected sectors, such as public electronic communications, the directive will apply regardless of size, while Member States will also have the power to designate some organisations as essential or important entities even if they fall under the size cap rule.

Both the UK and EU are updating their requirements so that a greater number of incidents are reported by organisations.

Under the EU’s plans, organisations must notify their relevant competent authority, national Computer Security Incident Response Team (CSIRT), and in some cases, their customers “of any incident having a significant impact on the provision of their services”. Incidents shall be considered “significant” if it has caused or is capable of causing severe operational disruption of the service or financial losses; or the incident has affected or is capable of causing considerable losses to others. Organisations will be required to provide an “early warning” within 24 hours after becoming aware of an event, with a full “incident notification” required within 72 hours and a “final report” to be submitted no later than one month after the incident notification.

Meanwhile, in the UK, the definition of incidents is being expanded to include “incidents that do not actually affect the continuity of the service directly, but nonetheless pose a significant risk to the security and resilience of the entities in question and the essential services they provide.” The final legal definition is yet to be determined, with exact thresholds to be set for each sector by competent authorities. It is likely that the 72-hour reporting deadline will remain.

Understand how the new regimes will affect them: It is important that organisations understand if they will be captured under the expanded sectoral remits of the EU and UK’s evolving regulations. In some cases, a sector may fall under one regime, but not the other (for now). It will also be important to understand whether, at an EU-level, an organisation or service will be deemed “essential” or “important” as the implications differ for each.

Adopt a proactive approach to security: Organisations should carry out a thorough gap analysis exercise and ensure that they have plans in place to address any issues and remain compliant.

Have full visibility over systems: A clear understanding of security implications for all system assets, plus those provided or managed by third parties, is essential.

Clear incident handling: Organisations must ensure that they have proper incident handling in place with prepared materials, processes and procedures to follow in the event of incident.