NIS2 Regulations Are Coming – Are You Ready?

The European Union's Network and Information Security (NIS) directive is evolving, with tighter rules and tougher sanctions that will apply to more organisations than was previously the case.

Those that assume they won’t fall under its remit could find themselves on the back foot, unless they get up to speed with the likely compliance requirements now. 

Many UK businesses have had to comply with the EU Network and Information Systems (NIS) cyber security standards for years. The regulations were imposed in 2016 to better protect the security and resilience of essential everyday services – such as water, energy, healthcare, transport and digital infrastructure – from online attacks, and they remain part of British law. The regulations are tightening for those countries that are still part of the EU, with stricter rules and reporting requirements, and higher penalties for compliance failures.

When it takes effect in 2024, the updated legislation will apply to medium-sized and large UK businesses that provide their services or carry out their activities in the EU. Those that only operate in the UK can’t relax, however, as the original NIS regulations will continue to apply to UK organisations. In addition, a number of new industry sectors not covered by NIS1 are now being pulled in. 

More significantly, a UK version of the rules is coming very soon: at the start of this year the government stated that “the NIS regulations will be updated as soon as Parliamentary time allows”. The intention is to strengthen the UK’s cyber laws against digital threats, according to Cyber minister Julia Lopez, in order to protect essential services and the IT providers which keep them running.

Once the rules come into force, affected organisations will be subject to random checks, regular security audits, on-site inspections and off-site supervisions. For those found to be in breach of the regulations, penalties could be as high as 10 million Euros or 2% of their global turnover - whichever is higher.

The Ground It Will Cover

It’s highly likely that the UK’s NIS framework will be very similar to the EU’s version. This means that entities which come under its remit will be required to perform regular security assessments, adopt incident response plans, appoint a chief information security officer (CISO), and report significant incidents to the national authorities, among other obligations.

The UK government has indicated that its NIS update will follow the EU’s lead in improving and streamlining the way in which cyber incidents are reported to regulators. Under NIS2, organisations must notify of any incident that has a significant impact on the provision of their services, for instance by causing severe operational disruption or financial loss. 

There is also plenty of focus in NIS2 on the cornerstones of sound cyber risk management – in particular the proper control of administrator-level account credentials, privileged access, and endpoints, all of which are prime targets for attackers.

Expanding The Scope

A number of new sectors are being pulled into the regulations, including space, waste management, research and development and a wider range of healthcare companies. Organisations are split into ‘critical’ and ‘important’ entities.

The burgeoning third party threat will also be addressed. Managed Service Providers (MSPs) are being added to the list of ‘critical entities’ to which the directive applies, in a move designed to keep the digital supply chains involved in the running of essential services secure. MSPs are often granted privileged access to corporate systems and networks, which creates security risks. Cyber criminals can take advantage of any vulnerabilities to attack and disrupt multiple organisations, as illustrated in the devastating MOVEit breach earlier this year. 

How Should You Prepare?

Organisations should take action now to establish whether the EU or UK NIS2 regulations will apply to them, and ensure they can implement and demonstrate best practice in good time.

They need to determine their obligations in relation to cyber risk management. What changes need to be made to existing processes, policies and practices to meet them? Are the basic cyber hygiene principles in place? As a priority, businesses must review their incident response plans and incident management and reporting procedures. It’s also a good idea to get a head start on undertaking third party security assessments, and incorporating security requirements into contracts. 

Given the framework’s focus on protecting privileged admin accounts, businesses should take measures to limit who possesses these powerful credentials – both across the organisation and within the supply chain. Implementing privileged access management (PAM) will allow IT to control who is granted access to which systems, applications and services, for how long, and what they can do while they’re using them.

It’s important that organisations engage now with the requirements of the updated NIS2, and build an understanding of what it means for them - especially those that weren’t covered by NIS1.

This should be viewed as more than just a compliance exercise. By adhering to the strengthened framework, businesses will build a foundation of resilience that protects the organisation, the services they provide, the communities that use them, and the wider UK economy from threats that could cause significant disruption and even endanger lives. 

Graham Hawkey is  PAM specialist at Osirium

You Might Also Read: 

Connected Devices Must Be More Secure:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« British Police On High Alert After Supply Chain Breach
Undetected Attackers Could Be Inside Your IT Systems Now »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Securi-Tay

Securi-Tay

Securi-Tay is an information Security conference held by the Ethical Hacking Society at Abertay University, Dundee.

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

Certus Software

Certus Software

Our Secure Data Erasure solutions protect customer data confidentiality by completely erasing it from data storage devices.

PROOF

PROOF

PROOF is a Brazilian leader in cybersecurity. Our goal is to assist our Customers in managing security efficiently and in tune with business needs.

Absolute IT Asset Disposals

Absolute IT Asset Disposals

Absolute IT Asset Disposals is an IT asset disposal (ITAD) company providing safe and secure recycling of IT assets.

Startup Wise Guys

Startup Wise Guys

Startup Wise Guys is a mentorship-driven accelerator program for early stage B2B SaaS, Fintech, Cybersecurity & Defense AI startups.

BI.ZONE

BI.ZONE

BI.ZONE creates high-tech products and solutions to protect IT infrastructures and applications, and provides services from cyber intelligence and proactive defence to cybercrime investigation.

Secure Ideas

Secure Ideas

Secure Ideas is focused on penetration testing and application security including web applications, web services and mobile applications.

SecureLogix

SecureLogix

SecureLogix deliver a unified voice network security and call verification solution. Protect against call attacks & fraud.

State Service of Special Communications & Information Protection of Ukraine (SSSCIP)

State Service of Special Communications & Information Protection of Ukraine (SSSCIP)

State Service of Special Communications and Information Protection is the technical security and intelligence service of Ukraine, under the control of the President of Ukraine.

IronClad Encryption (ICE)

IronClad Encryption (ICE)

Ironclad Encryption is Dynamic Encryption. The encryption sequence changes continuously so there is never a correlation between data sent and data received.

QAlified

QAlified

QAlified offer independent testing and quality assurance services for software projects including security testing.

Devolutions

Devolutions

Devolutions make best-in-class Privileged Access Management, Password Management, and Remote Connection Management solutions available to ALL organizations — including SMBs.

Acronis

Acronis

At Acronis, we protect the data, applications, systems and productivity of every organization – safeguarding them against cyberattacks, hardware failures, natural disasters and human errors.

CyberMontana

CyberMontana

CyberMontana is a statewide initiative providing cybersecurity awareness, training, and workforce development for businesses and residents of Montana.

Dialog Enterprise

Dialog Enterprise

Dialog Enterprise is the corporate ICT solutions arm of Dialog Axiata, Sri Lanka’s leading connectivity provider.