Strengthening cybersecurity laws: changes to the EU's and the UK's NIS regimes

NIS stands for "network and information systems". These have become central to everyday life, with a huge increase in digitalisation, interconnectedness of society and cross-border data exchanges.  A corresponding surge in the number and sophistication of cyberattacks threaten those systems, a situation which has been exacerbated by the geopolitical climate, including the pandemic and the conflict in Ukraine. 

In very broad terms, the current NIS regimes in the EU and the UK essentially require in-scope organisations to adopt appropriate security measures to protect against cyber threats, including monitoring, auditing and testing, together with specific procedures to report and respond to security breaches.  Both the UK and the EU recognised the need to adapt their respective NIS legislation to respond to the changing threat landscape. 

What is changing and why?

In the EU, the NIS2 Directive will replace the EU's current directive on security of network and information systems (NIS1) and cover new sectors.  Meanwhile, the UK Government announced on 30 November 2022 that it is pressing ahead with its proposals to improve the UK's cyber resilience, including by extending the existing scope of the Network and Information Systems Regulations 2018 (NIS Regulations) to regulate managed IT service providers.  Following Brexit, the UK is no longer required to follow the NIS2 Directive and although it could choose to follow the EU's approach, it does not appear minded to do so – hence the concerns over divergence.

The EU's NIS2 scope increases are more far-reaching than those currently proposed by the UK Government, although both regimes will be extended to cover managed service providers.  The UK Government also plans to give itself the power under new legislation to bring other sectors and organisations into scope (although concedes that this should be made subject to further safeguards).

Seeking to harmonise requirements across Member States, NIS2 will leave less discretion to Member States than its predecessor, setting out minimum rules for regulatory frameworks and establishing more stringent cybersecurity measures that must be implemented.  It requires in-scope entities to implement "appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which those entities use in the provision of their services" in connection with a list of specified matters, such as incident handling, business continuity, supply chain security, encryption, access control, the use of multi-factor authentication, and vulnerability handling and disclosure.  NIS2 will impose responsibilities on “management bodies” of essential and important entities to approve cybersecurity measures and supervise their implementation; management may also be held liable (as well as temporarily banned) if the organisation does not comply with cybersecurity requirements.

The UK will take a different (more flexible) approach.  Competent authorities responsible for regulating each sector will continue to set the cybersecurity measures which regulated entities will have to implement.  The UK Government also sees “outcomes focused tools such as the Cyber Assessment Framework [as providing] a measure of flexibility for companies".

Both NIS2 and the UK Government's proposals entail more stringent incident reporting requirements but the EU's reporting regime will be more onerous than that in the UK.

Under NIS2, different rules apply to "essential entities" and "important entities" for cybersecurity breaches. Essential entities are subject to fines of €10m or, if higher, 2% of the total annual global turnover. Important entities are subject to a maximum fine of €7m or, if higher, 1.4% of the total annual global turnover of the undertaking in the previous financial year. Essential entities may also be subject to proactive oversight, such as strict audits, including on and off-site inspections, whereas investigations of important entities are only carried out on a reactive basis, e.g. if the supervisory authority receives information that an important entity is suspected of non-compliance with NIS2.

The UK also proposed a two-tiered approach to digital service provider supervision - a proactive supervisory regime for the most critical digital services and a reactive one for the rest. In response to consultation feedback, the government is considering whether a more flexible, risk-based assessment would work better. It plans to implement these changes through non-legislative means (i.e. the ICO is to produce and update guidance on how it will regulate digital services).

There is currently no indication that the UK reforms will increase the penalties for non-compliance above the current £17m limit.

NIS2 came into force on 16 January 2023 and must be implemented by Member States by 17 October 2024.

The timeframe for changing the NIS Regulations, subject to the finding “a suitable legislative vehicle” to do so, is less clear and will be made "as soon as parliamentary time allows".  An updated regime is unlikely to be in place before 2024.

A difference in the timing of implementation is likely to increase costs to some extent, as businesses active in both the UK and the EU will need to allocate time and resources to compliance exercises on two occasions rather than one.

Cybersecurity threats do not respect international borders - an attack on a "weak link" in one territory can have repercussions for citizens and businesses in another, regardless of whether they are in the EU or in the UK.  In a highly interconnected world, if one country adopts a substantially weaker regulatory regime in pursuit of competitive advantage, this may bring jobs and investment but at the cost of increasing the overall level of cyber-risk – with a corresponding negative impact on the wider economy.

Revising NIS1 will address sub-optimal implementation in one Member State negatively impacting cybersecurity in another.  The UK's National Cyber Strategy also recognises that threats to the UK's cybersecurity cannot be tackled effectively without international cooperation…

…but the UK Government also aims for cyber power for the UK in support of national goals, to provide the UK with a competitive edge in the international arena.  Despite some disquiet expressed in feedback to the UK Government's consultation about potential divergence between the UK and EU's approach to NIS, the UK Government has clearly stated that it intends to forge its own path:

Is divergence worth it?

The UK Government might argue that its more flexible, risk-based approach (leaving much of the detail to secondary legislation and regulator guidance) can achieve the same results but at a lower cost to business.  However, any organisations that are "essential" or "important" entities with customers across the UK and the EU will need to comply with NIS2 in any event.  As such, the space for the UK to gain competitive advantage from a divergent approach may be somewhat limited – and if the UK diverges significantly from the EU's approach, those same businesses will face extra costs from having to comply with two substantially different sets of rules.  Given the UK Government's aim to "minimise regulatory burdens", it is to be hoped that it will be cognizant of this risk.

A more positive way of viewing the UK's approach is that if it can prove that its regulatory regime is superior to that of the EU (i.e. it achieves broadly the same objectives but at lower cost to business), the latter might be persuaded to adopt it in future – in which case a degree of ongoing regulatory "competition" with the EU could, in the long run, prove to be a good thing for both sides.  However, for this strategy to be effective, the UK really needs to be "getting out in front" of the EU when it comes to regulation and leading by example.  In this case (as in a fair number of other areas), it is the EU which is in the lead in terms of updating its cybersecurity regime, with the UK somewhat belatedly following suit – having largely missed the opportunity to influence NIS2 in what it would see as a more positive direction.

Of course, there's unlikely to be a uniform approach across the EU either.  While NIS2 seeks to achieve a higher level of harmonisation than the current rules, it does not preclude Member States from adopting provisions ensuring a higher level of cybersecurity, provided that such provisions are consistent with their obligations under EU law, so in the EU too there is likely still to be some divergence between Member States.

What about other, related sectors such as financial services?

There is also a need for coordination with regulation outside the scope of the NIS regime, particularly in the financial services sector.  In the UK, the Government will need to work closely with the Financial Conduct Authority and Bank of England, and their proposals relating to critical third parties in the financial sector aimed at managing the risks associated with supplier failure and concentration risk.  The EU has sought to align NIS2 with the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to ensure coherence between NIS2 and those acts.