The EU has introduced two new significant pieces of legislation that are intended to increase cybersecurity resilience in the European economy and the overall resilience of critical infrastructure providers to incidents that have the potential to significantly disrupt their services. These new laws represent a massive leap-forward for the EU while casting a shadow over the UK which is now lagging behind the pace of its former economic and social partner.
Welcome NIS2 and CER
The first piece of legislation is ‘NIS2’ (or the ‘Second Cybersecurity Directive’, as some are calling it). The second piece of legislation is the Directive on Resilience of Critical Entities (or ‘CER’, for short).
In comparison to its predecessor, NIS1 (which came into effect in May 2018), NIS2 significantly increases the range of services providers that are subject to cybersecurity legislation. They break down into two categories:
The first category consists of ‘critical entities’ as defined in CER, which covers entities providing various listed services in these sectors: Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water, Waste Water, Digital Infrastructure, ICT Service Management, Public Administration, Space and Food (regardless of their size). The second category consists of ‘essential entities’, ‘important entities’ and a range of other entities that provide services that are listed in the annexes to NIS2, for which there are some size requirements and some requirements for identification of specific entities by the EU Member States. Annex 1 of NIS2 repeats all of the sectors listed in CER, but provides a range of different services. Annex 2 covers Postal and Courier services, Waste Management, Chemicals, Food, Manufacturing, Digital Providers and Research.
Management must own cybersecurity risk management
There are a lot of details in the rules, which are complicated, so they should be consulted for the precise parameters of regulation, but in a nutshell regulated entities need to:
- Establish management bodies to approve and oversee cybersecurity risk management.
- Put in place training schemes.
- Adopt appropriate and proportionate technical and organisational measures for cybersecurity, which need to have regard to the state of the art and reflect an ‘all hazards approach’, including towards supply chain risks.
- Report cybersecurity incidents with significant impacts to the authorities without undue delay and issue communications about significant threats and remedial measures to service recipients who are potentially affected.
To keep the regulated entities in check, the regulators have new audit and dawn raid powers, they can order the change of behaviours and they can impose fines of up to 2% of annual worldwide turnover, or 10M Euros, whichever is higher.
There are also a raft of new measures to ensure that national CSIRTs are more empowered and to aid international cooperation.
What next for the UK?
So where does this leave post-Brexit UK? Well, the UK is currently stuck with its version of NIS1, with a significantly reduced scope of application. It’s probably unlikely many that service providers will be calling on the Government to increase red tape, but in 2022 the Government signified that it would like to adopt a ‘delegated legislation’ approach to improving the law. Perhaps we will see some concrete proposals emerge for this over 2023, as it would surely be embarrassing for the Government if the UK suffered serious cybersecurity outages in areas of the economy that are currently unregulated. Postal services would be an example of one those, but that’s another story.