What is the Network and Information Security 2 (NIS2) Directive?

An abstract render of the European continent at night, with lines of glowing blue light emanating from London

To address the ongoing threat of cyber attacks, the European Union (EU) has put in place the Network and Information Systems Directive (NIS2) – a comprehensive legal framework intended to bolster cyber security by imposing obligations on organisations to manage cyber risks, report incidents, and cooperate with authorities to smoothen incident response.

The directive applies to certain critical sectors such as energy, transportation, and health and requires companies to take measures to protect their systems from threats like malware and ransomware, as well as report certain types of incidents to relevant authorities.

The twin directives of NIS2 and the Critical Entities Resilience (CER), which replaces the European Critical Infrastructure Directive of 2008, came into force in January 2023, with member states given until 17 October 2024 to comply. These two measures address varying aspects of cyber security, with NIS2 focusing on enhancing the cyber security of digital service providers and essential service providers, while CER focuses on ensuring the resilience of critical entities in the EU.

The UK, meanwhile, has also updated its own NIS regulations. These have stricter requirements for managed service providers (MSPs) than NIS2, particularly around supply chain security, system hardening, secure remote access, incident response planning, and staff training. MSPs must also report any incidents to the National Cyber Security Centre (NCSC). Despite minor differences between them, the new regulations are now in force, meaning organisations must adapt their systems and processes to the provisions and make the appropriate changes in order to comply.

What are the key provisions in the NIS2 Directive?

The NIS2 Directive is a set of regulations that aims to raise cyber security standards of network and information systems throughout the EU. It requires companies operating in essential sectors, such as energy, transport, banking, financial services, healthcare, drinking water supply, digital infrastructure, public administration, chemicals, food supply and distribution, and space, to bolster network security, incident management, business continuity, and compliance.

NIS2 lays out a set of security requirements for companies operating in these sectors, including incident management, risk assessment, and penetration testing. But it also establishes a cooperation network for sharing information on cyber threats and incidents between member states as well as the European Union Agency for Cybersecurity (ENISA).

There are also requirements for incident reporting, voluntary certification schemes, and supervision and enforcement by national authorities. The directive, finally, includes risk management through regular risk assessments and implementation of appropriate security measures to mitigate identified threats. These measures may include incident management processes, business continuity plans, and compliance with relevant regulations. Companies must also monitor and evaluate the effectiveness of these measures on an ongoing basis.

NIS2 vs UK NIS: What’s the difference?

While both sets of regulations share similar objectives, they have different scope, definition, reporting process, certification, penalties, and supervision.

There are also specific requirements for MSPs in the UK legislation. UK-based CIOs and IT managers must also understand the requirements and implications of both sets of regulations, and ensure overall compliance if they fall under the jurisdiction of both.

NIS2 vs UK NIS: Scope and definitions

The UK NIS regulations apply to all operators of essential services (OES) and digital service providers (DSPs) regardless of sector, while the EU’s NIS2 directive applies to companies operating in certain critical sectors such as energy, transportation, and healthcare.

An OES is a company or organisation that provides a service essential for maintaining life, public safety or security, or economic and societal activities. Generally, these services are considered critical to the functioning of society and the economy, such as electricity, water, health, transport, and digital infrastructure. Examples of OES include utility companies, transportation providers, hospitals and telecoms providers. Examples of DSPs include Amazon Web Services, Google, Facebook, and eBay.

Under NIS2, the same sectors are covered as in the UK regulations, but with some differences in the exact requirements and thresholds. In addition to these sectors, the UK regulations apply to certain other types of businesses, such as:providers of online marketplaces and search engines, providers of online messaging services, higher education institutions, and public sector organisations. These businesses would be adjudicated by the UK legislation, but not the EU legislation.

NIS2 vs UK NIS: Incident reporting

RELATED RESOURCE

SOC modernisation and and the role of XDR

Security operations remain challenging

FREE DOWNLOAD

Both the UK's NIS regulations and NIS2 require OES and DSPs to report certain types of incidents to the relevant authorities.

The EU directive does encourage member states to establish mechanisms for the exchange of information between OES and DSPs, including the exchange of information on specific incidents. This information exchange can be done on a voluntary basis, and it's up to each member state to decide how to implement it.

The UK regulations define a cybersecurity incident as an event that has a significant impact on the continuity of the essential services they provide, the security of the network and information systems they use to provide those services, or the personal data they process.

NIS2 vs UK NIS: Certification

The UK NIS regulations require OES and DSPs to be certified by a relevant certifying body, while the EU NIS directive allows member states to adopt voluntary certification schemes for OES and DSPs

The certification requirement under the UK NIS regulations means that OES and DSPs must be certified by a relevant certifying body to demonstrate that they have taken appropriate steps to manage risks. This certification process is mandatory and ensures that companies operating in these sectors are held to a high standard of cybersecurity.

In contrast, NIS2 allows member states to adopt voluntary certification schemes for OES and DSPs. This means that the certification process is not mandatory, and companies may choose to be certified under the voluntary scheme to demonstrate their credentials.

NIS2 vs UK NIS: Supervision and enforcement

The UK NIS regulations has designated the NCSC as the organisation with the power to supervise and enforce compliance, while the EU’s directive grants member states the remit to delegate supervision and enforcement to regulators within each country, depending on their preference.

The level of fines also differs, with the UK’s regulations imposing up to £17 million, or 4% of global turnover, for non-compliance, while the EU’s version allows member states to impose non-specific administrative fines. The penalties are expected to be much higher in the UK than across the continent.

NIS2 vs UK NIS: Demands for MSPs

There are stricter rules and requirements for MSPs under UK NIS than NIS2, which means UK MSPs will have to comply with stricter security measures.

Examples include implementing strong access controls, such as multi-factor authentication (MFA), to prevent unauthorised access to systems and networks; regularly testing and assessing the effectiveness of security measures to identify vulnerabilities and address them promptly; and maintaining comprehensive records of security incidents, including details of the incident and the steps taken to address it

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.