The UK is exempt because of Brexit, for now.
Only two nations have met the deadline to be ready for implementing measures related to the NIS2 directive.
According to a tracker from the DNS Research Federation, only Croatia and Italy have ‘completed’ their preparations, with others underway.
What is NIS2?
A set of legal measures designed to improve the overall level of cybersecurity in the European Union, NIS2 introduces measures such as cybersecurity frameworks, national strategies, incident response teams and risk management protocols.
Jonathan Armstrong, Partner at Punter Southall Law, said: “NIS2 builds on NIS1 which became national law in 2018 across the EU (including then the UK), but seeks to rectify areas of inconsistency, and provide more specific and defined requirements and applications, while also expanding the scope of the Directive and strengthening cybersecurity measures. Importantly, it also introduces personal liability for senior management, a key shift from NIS1.”
Specifically, NIS2 applies to businesses and organisations (both public and private) categorised as ‘Essential’ or ‘Important’. Both categories have the same cybersecurity management and reporting requirements but are subject to different supervisory and penalty regimes.
Also, Armstrong said that the Directive has extra-territorial scope, meaning that a wide range of technology providers, such as cloud service providers, online marketplaces, managed service providers, and social network platforms, will be subject to NIS2 if they offer services to EU Member States, regardless of where they are established. This will mean that many UK businesses will also have NIS2 compliance obligations.
A Positive of Brexit?
Although the UK is no longer bound to implement NIS2 following Brexit, some UK entities with customers in the EU will be subject to the Directive. Armstrong told SC UK there is talk of the UK adopting some of the NIS2 upgrades, but there are no fixed dates yet. “UK businesses with operations in the EU will however still be bound by NIS1 and NIS2 for their EU operations,” he said.
Commenting, Tim Grieveson, SVP and global cyber risk advisor at Bitsight, said: “Ultimately, NIS2 compliance is there to enhance the overall cybersecurity resilience against evolving cyber threats, ensuring that your digital ecosystem becomes a fort of security, rather than a source of vulnerability.
“To ensure compliance with NIS2, enterprises should begin by designating a responsible person or team to oversee the process. It’s essential to first understand and identify the scope of your organisation’s operations that fall under NIS2 regulations.
“Once the scope is clear, familiarize yourself with the specific requirements outlined in NIS2. Conduct a thorough gap analysis to assess where your current practices may fall short of compliance. Based on the findings, create an action plan and allocate the necessary resources, This holistic approach will enable your organization to meet NIS2 obligations effectively.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.