NIS Regulations. How does it differ from the EU version?

NIS Regulations. How does it differ from the EU version?

The Network and Information Systems (NIS) Regulations 2018 is the UK’s approach to boost the cyber security of network and information systems that provide essential services and digital services. The UK government laid these regulations in response to the growing reliance on technology and a recognition that the failure of these network and information systems is a considerable threat to the UK. It came into force on 10 May 2018 and is part of the UK’s £2.8 billion National Cyber Strategy and is based heavily on the EU’s 2016 NIS Directive.

This article shall attempt to compare the approaches to cyber security legislation used by the UK and EU to highlight any similarities and potential conflicts. We’ll also try to note where the jurisdiction of each document set ends and begins.

How are the NIS Regulations different from the NIS / NIS2 Directive?

The NIS Regulations are based on the NIS Directive issued in the EU in 2016. The NIS Regulations categorise organisations into Operators of Essential Services (OES), and Relevant Digital Service Providers (RDSP). While the EU leaves it to each Member State to determine and establish their own Competent Authorities (CA) and Computer Security Incident Response Teams (CSIRT), the UK has this defined. The Government Communications Headquarters (GCHQ) is the Single Point of Contact (SPOC) and CSIRT for the NIS Regulations and is responsible for monitoring and receiving incident reports for cyber security in the UK. Each sector also has its own CA. For example, you have the Secretary of State for Energy Security and Net Zero for the Energy Sector, and the Secretary of State for Transport in the Transport Sectors. In Figure 1 and 2 below, you can see how these are broken down, and the similarities between the NIS Regulations and the 2016 NIS Directive. In the NIS Regulations, each OES and RDSP have criteria and thresholds where an organisation would fall under the jurisdiction these regulations should they meet them.

It is worth noting that following a public consultation in Nov 2022, the UK Government will expand the scope of the Regulations to include Managed Service Providers (MSPs). An MSP is an IT service provider defined as being:

  • Business to business (B2B)
  • Related to the provision of IT services (systems, infrastructure, networks, and/or security)
  • Reliant on network and information systems
  • Providing regular and ongoing management support, active admin and/or monitoring of IT systems, IT Infrastructure, IT network and/or security

This change has not yet been implemented and is currently (as of May 2024) waiting on Parliament to have time to put it in place; hence why this is not reflected in these figures.

Figure 3 (below) shows how the EU has expanded the sectors that will be covered by the NIS2 Directive. This is quite a considerable expansion and looks to bring many more sectors under the jurisdiction of the NIS2 Directive when compared to the UK’s NIS Regulations.

As covered in our last blog piece about NIS2 (which can be found here), the incident reporting timeline and requirements have become a lot more detailed. One of the key changes being that entities are required to issue early notifications to their relevant CSIRT within 24hrs of the incident being discovered. However, the UK NIS Regulations maintain that OES and RDSPs only need to report an incident within 72hrs of discovery as per the 2016 NIS Directive.

While we are still waiting on the specifics of how NIS2 will be implemented in law across each Member State, it does provide some basic, high-level expectations for cyber security. Comparatively the NIS Regulations define the Security Duties expected of OES and RDSPs. However, the NIS Regulations rely on secondary legislation, government bodies (such as NCSC, HSE etc), and the CAs to define the specific requirements for each sector and how the security requirements will be enforced.

What are the potential impacts?

NIS Regulations give power to a CA or the Information Commissioner to issue a penalty fee under the following criteria:

  • Not more than £1,000,000 for a contravention that was not a material contravention.
  • Not more than £8,500,000 for a material contravention that does not meet the criteria below.
  • Not more than £17,000,000 for a material contravention that could have created a significant risk/impact to the service provision by the OES/RDSP.

A material contravention is when the enforcement authority deems there to have been a breach of duties as defined in the NIS Regulations; or a failure to take, or adequately take, one or more required steps described in an enforcement notice to rectify a breach of duties.

This approach is more risk-based and focuses stricter penalties on higher levels of impact to the UK economy. It could also potentially be seen as a lesser financial impact than NIS2 penalties, which could see an essential entity be fined up to 10 million Euro or 2% of their worldwide annual turnover (whichever is higher). It’s important to note that at this stage, the EU is leaving the assessment and implementation of any penalties to each Member State, so the criteria for assigning penalties has yet to be determined, but at present any perceived breach in the EU could result in a fine.

My business is incorporated in the UK but I also provide services to the EU. Which do I need to comply with?

To cut a long story short…it depends. Both the NIS2 and NIS Regulations define what types of organisations fall under their jurisdiction. The NIS Regulations do allow for coordination and shared reporting in the case of RDSP which often operate in several countries and have no fixed HQ. This is also covered in NIS2. Both legislations also give power for decision making to their relevant CA for them to define what entities will be under their jurisdiction.

If your business does enough activity to be within the thresholds in order to be defined as an OES or Essential / Important Entity, as well as having a physical location within the UK or EU respectively, it is worth taking the time to communicate with the relevant CA in the UK and the Member State(s) where you do business to see if they will confirm whether they consider your business to be an OES, Essential or Important Entity.

Unfortunately, if you find that your organisation has to comply to both pieces of legislation then you could have to pay double in the event of a breach of duties.

Fortunately, the best way to deal with this is to make sure your cyber security risk management is up to scratch; and there is no better time than now. While regimes change, and policies / laws are pending implementation, organisations should be looking to revamp their cyber security risk management to ensure that cyber risk is being appropriately handled in a holistic manner that addresses people, policies, processes, and technology.

How can Arcanum help?

As mentioned in our last blog piece there are several approved cyber security frameworks and standards that can help to guide your organisation’s journey and improve your overall cyber security posture. However, it can be difficult to navigate that guidance, especially if your organisation does not have the appropriate resource to handle such a process. This is where expert, qualified third parties can help. We can assist you with understanding, prioritising and managing your risks according to your organisational risk appetite. We can also help assess your networks and information systems and guide you through your chosen framework. Whether you need to use the NIST Cyber Security Framework, implement some ISO 27001 controls to secure your IT, or employ the ISA/IEC 62443 set of standards to secure your Operational Technology (OT). There are a number of approaches you take to secure your systems and organisation.

At Arcanum, our cyber security teams are experienced in implementing and assessing all aspects of security within both IT and OT environments. We can offer your organisation independent, vendor-agnostic advice, that is tailored to your specific business needs, while providing the highest level of risk reduction possible in your situation, without impacting normal business functions.

call: 02922 784452

email: contact@arcanum-cyber.com