Copenhagen-based Kim Larsen, CISO at Keepit, tells us why IT teams in the UK need to prepare for the EU’s new Network and Information Systems Directive?
From October, a new directive designed to safeguard critical infrastructure and protect against cyberthreats comes into force across the European Union (EU). And although the United Kingdom is no longer a member of the EU, it’s still really important to understand the changes: the Network and Information Systems Directive (NIS2) is highly relevant, especially for UK businesses operating in the EU.
Not to mention that the regulations align closely with the UK’s own robust cybersecurity frameworks, including the anticipated Cyber Security and Resilience Bill introduced in the King’s Speech this summer. So preparing for changes now, could help when it comes to complying with UK regulations in the future.
Why does this matter in the UK?
- Set yourself apart
Like GDPR, NIS2 attempts to unify the way the whole of the EU approaches data. And, much like GDPR, it’s anticipated that NIS2 will set global standards that will increasingly become best practice worldwide. By adopting NIS2 standards early, UK businesses will make it easier for EU partners to work with them. And, if nothing else, demonstrating an understanding of and adhering to high cybersecurity standards can help businesses stand out, especially in sectors where security and trust are crucial.
- Strengthen business relationships with EU partners
No business operates in a vacuum, and many UK organisations rely on strong relationships with EU partners. These relationships may increasingly hinge on following NIS2 standards: as we saw with GDPR, many EU companies may require their suppliers and partners to comply with equivalent cybersecurity measures. Failing to do so could limit opportunities for collaboration or result in lost contracts it makes sense to start now, and really get to know the directive, so it’s easier to align cybersecurity practices with NIS2.
- Align with future regulations
When the Cyber Security and Resilience Bill was introduced to Parliament, it demonstrated that although the UK is no longer bound by EU legislation, it is almost inevitable that the UK government will introduce similar regulations to maintain alignment with international standards. It makes sense. Given the interconnected nature of global cyberthreats, it’s not practical to reinvent or move away from existing regulation. So by understanding what’s coming, and aligning with NIS2, UK organisations will be much better prepared for future national regulatory changes too – and of course better protected against cyberthreats.
- Build cyber-resilience
This goes beyond compliance for compliance’s sake. When it comes into force, NIS2 is designed to protect organisations from cyberattacks and can significantly enhance cyber-resilience. With an emphasis on risk management, incident response, and recovery, UK businesses that adopt these practices can better protect themselves, respond more effectively to incidents, and, ultimately, safeguard their operations and reputation.
Enter the Cyber Security and Resilience Bill
But it’s not just NIS2 that needs to be on UK businesses’ radar. When the UK government set out plans for a Cyber Security and Resilience Bill, it represented a significant strengthening of the UK’s cybersecurity resilience. If passed, this legislation aims to fill critical gaps in the current regulatory framework, which has been inherited from EU law and needs to adapt to the evolving threat landscape.
The good news is, because much of the Bill and NIS2 align, the burden on business isn’t as great as it could be.
Key provisions of the Bill:
- Expanded regulatory remit: The Bill expands the scope of existing regulations to cover a wider array of services that are critical to the UK’s digital economy. This includes supply chains, which have become increasingly attractive targets for cybercriminals, as we saw in the aftermath of recent attacks on the NHS and the Ministry of Defence. This means that more companies need to be aware of potential legislative changes.
- Stronger regulatory framework: The Bill will put regulators on a stronger footing, enabling them to ensure that essential cybersafety measures are in place. This includes potential cost recovery mechanisms to fund regulatory activities and proactive powers to investigate vulnerabilities.
- Increased reporting requirements: An emphasis on reporting, including cases where companies have been held to ransom, will improve the government’s understanding of cyberthreats and help to build a more comprehensive picture of the threat landscape, for more effective national response strategies.
If passed, the Cyber Security and Resilience Bill will apply across the UK, giving all nations equal protection.
How the new rules fit with current legislation
This is not a case of completely rewriting the rule book. The UK already has a strong foundation when it comes to cybersecurity. Much of this guidance actually aligns closely with the principles of NIS2 and the new Cyber Security and Resilience Bill. Take, for example, theNational Cyber Strategy 2022, which focuses on building resilience across the public and private sectors, strengthening public-private partnerships, enhancing skills and capabilities, and fostering international collaboration. Or National Cyber Security Centre NCSC guidance, which complements new rules with its focus on incident reporting and response and supply chain security. So companies already complying with these rules are starting off strong.
Sobering lessons
This is not just about complying with the latest regulations. Cyberattacks can be devastating to the organisations involved and the customers or users they serve. When it comes to understanding why cybersecurity and resilience is important, there are several high-profile incidents in the UK that demonstrate the impact of an attack.
Take for example the ransomware attack on NHS England in June this year, resulting in the postponement of thousands of outpatient appointments and elective procedures. Or the 2023 cyberattack on Royal Mail’s international shipping business that cost the company £10 million and highlighted the vulnerability of the transport and logistics sector. And how about the security breach at Capita also in 2023, that disrupted services to local government and the NHS and resulted in a £25 million loss.
We’ve already seen that, when it comes to data, it’s impossible to operate in a silo. The way we work across borders and geographies means that legislation and directives can reach much further than the countries they’re originally intended for. So, understanding NIS2 and preparing for it, means that UK businesses can better protect themselves against cyberattacks. That they’re more attractive to European partners. And that they’re contributing to national cyber-resilience.