Navigating NIS2 – considerations for businesses

In January 2023, the European Union adopted a new version of the Network and Information Security Directive (NIS2), setting out four overarching control areas of risk management, corporate accountability, reporting obligations and business continuity. It also includes the addition of 10 minimum measures to implement an effective cybersecurity baseline. The aim of NIS2 is to increase the level of cybersecurity and resilience within critical organisations and their entire network of interconnected systems, including third parties across the European Union. The directive is set to be transposed into the national laws of member states by 17 October 2024.

Although the UK is not directly implementing NIS2, businesses that operate across the EU or are suppliers of businesses that fall under its scope are likely to see requirements being passed on to them. Additionally, we expect the UK will seek adequacy against NIS2 and will make changes to existing cybersecurity laws. These changes may include expanding the scope of applicable industries, broadening the scope of managed service provider services, incorporating more supply chain security-related policies and increasing incident reporting obligations.

NIS2 applicability

NIS2 applies to all entities providing essential or important services to the European economy and society, including both companies and suppliers.

Supervision

To ensure compliance with NIS2, competent authorities will have new powers. These include:

• conducting on-site inspections and off-site supervision, which could also include random checks;
• ad hoc, regular and targeted security audits;
• security scans; and
• requests for information and access to data and evidence of implementation of cyber security policies.

Penalties

The requirements vary based on an entity’s designation, but regardless, the penalties for non-compliance are severe.

• Directors and management can be held personally liable for failures in implementation, with various offences attracting criminal penalties including fines and/or possible imprisonment.
• Fines can reach up to €10m or 2% of total turnover (for essential entities) or €7m or 1.4% of total turnover (for important entities).
• Regulators may suspend business operations if necessary for network security.

How we can help

Applicable organisations must take steps to prepare for compliance. Below are the steps we can assist you with.

We will assess if your organisation is in scope, your relevant designation (essential or important) and your current readiness to achieve compliance. This includes:

• a scope review identifying the applicability of NIS2 and your organisation’s obligations; and
• an assessment of the impact of NIS2 on your current cybersecurity framework and control environment.

We will create an implementation plan against the directive’s requirements and support you in executing remediation to achieve compliance, including:

• development of a prioritised cybersecurity control implementation plan and strategy to address identified gaps and cybersecurity risks;
• creation of cyber policies, cyber incident response plans and cyber incident reporting processes;
• creation of third-party risk management frameworks and assessment of your third-party’s cybersecurity provisions; and
• development of cybersecurity governance structures, ways of working and a defined approach for cybersecurity oversight.

We will continue to support you by developing self-reporting mechanisms to track compliance, provide assurance through independent reviews and monitor NIS2 changes and interpretations from member states. This includes:

• defining Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), metrics and reporting structures to track continuous compliance;
• developing an internal audit plan for ongoing compliance assurance; and
• advisory services to support you in understanding and achieving compliance with the intertwined cybersecurity legislative landscape.

If you would like further information on any of the topics discussed above, please contact Stuart Leach, Sheila Pancholi or your usual RSM contact.