On 17th October 2024, NIS 2 is due to come into force. It expands on the requirements laid out in the Network and Information Security Directive (NIS) introduced in 2020.
While NIS 2 is a piece of EU legislation, non-EU entities such as UK companies providing essential or important services to the EU are affected.
With a high number of UK organisations at risk of non-compliance, here we cover what NIS 2 means for companies and the key metrics you should be monitoring.
Table of Contents
What is NIS 2?
The NIS 2 Directive is a legislative act that aims to achieve a high level of cybersecurity across the EU.
The original NIS directive was intended to improve cybersecurity for EU member states, however, there were problems with its implementation. As organisations are faced with increased risks from bad actors every day the EU is implementing NIS 2.
What are the key differences in NIS 2?
NIS 2 expands the number of covered sectors from 7 to a total of 18, to ensure greater cybersecurity coverage for vital areas such as telecoms.
One intention of NIS 2 is to introduce thresholds to ensure all medium and large size companies in affected sectors are included in its scope. That means medium-sized organisations with 50 employees, an annual turnover of €10m or a balance sheet of over €10m are covered by the directive.
For large organisations, it’s 250 employees, €50m annual turnover or a €43m balance sheet.
It’s considerably stricter, with more stringent requirements facing organisations in an attempt to bring more consistent cybersecurity standards across multiple essential services. Areas of regulation include incident reporting and business continuity. There are also new requirements around monitoring, auditing and testing.
And the penalties for non-compliance will be more severe, with both hefty financial fines of up to 2% of turnover as well as legal ramifications for management teams. Top management will be held personally liable for negligence in case of a security incident, so the stakes are pretty high.
Will the UK implement NIS 2?
The UK government has said it doesn’t intend to implement NIS 2, diverging from EU regulation. However, that doesn’t mean UK companies shouldn’t be trying to proactively take on board the principles of the legislation and get ahead of any legislative changes.
The recent ransomware attack on the NHS is a clear demonstration of the threat facing organisations, and “a major cyber attack on the United Kingdom is a matter of ‘when, not if’ according to a House of Common Committee report. As such, NIS 2 is an opportunity for organisations to benchmark and improve their cybersecurity posture.
While the UK may not implement NIS 2 directly the UK government has expressed receptiveness to taking on board some of its features. For example, it has indicated it supports feedback that NIS be expanded to cover new sectors in the future.
There was also the cyber security & resilience bill that was announced a few weeks ago hoping to bring in major changes to the outdated security legislation in the UK.
There are also signs there may be greater EU alignment, after recent comments about “resetting” the relationship with the EU, so it pays for UK organisations to expect further changes in law and stay ahead of the curve.
But if you operate in the UK, and provide services to EU entities, you are impacted by the law and need to be compliant, even if you are not based in the EU. This targets companies like DNS service providers, cloud computing service providers, managed security service providers and others. Importantly, if these companies are not based in the EU but offer services there, they must appoint a representative within the EU.
How does the UK get ready for NIS 2?
Worryingly, it’s estimated that 58% of third-party suppliers (of 50 to 1000 employees) are not ready for NIS 2 compliance. So it’s vital that organisations move fast to boost their security posture.
NIS 2 stipulates a number of key areas where organisations must be compliant.
- Duty of care. You must carry out a risk assessment. Based on this risk assessment you should take measures to guarantee business continuity as much as possible and protect the information used.
- Duty to report. Where incidents might disrupt the provision of essential services, you have the duty to report incidents to the supervising authority within 24 hours. Whether an incident is subject to the duty to report depends on several factors such as the number affected, the duration of the disruption, and the potential financial losses.
- Supervision. Organisations in some sectors covered by the NIS2 directive will be under supervision. The supervisory body will look at compliance with the obligations of the directive, such as the duty of care and the duty to report.
To ensure compliance with these areas, it’s imperative for board-level reporting to encompass a comprehensive set of strategic key performance indicators (KPIs). Organisations that are more mature in their compliance structure may also look at Key Risk Indicators (KRIs).
These metrics serve as essential tools to assess risk and provide evidence to the board about the organisation’s compliance, as well as carry out assurance of critical third-party suppliers.
Examples of useful KPIs
On the KPI side, metrics that can support demonstration of NIS 2 compliance include:
- Number of security incidents. Measure the number of security incidents and breaches that have occurred within a specific period. A low number of incidents indicates effective security measures and compliance.
- Patch management compliance. Measure the organisation’s adherence to timely patch management. It assesses the percentage of critical vulnerabilities patched within a specified timeframe, indicating proactive security maintenance and compliance.
- Employee training completion rate. Track the percentage of employees who have completed mandatory cybersecurity training. A high completion rate indicates a culture of security awareness and compliance with training requirements.
- Third-Party threat assessment. Evaluate the frequency and comprehensiveness of third-party risk assessments conducted by the organisation. Measure the percentage of critical third-party vendors assessed for cybersecurity risks and ensure compliance with supply chain security requirements.
- Incident response time. Measure the time it takes for the organisation to respond to and resolve security incidents. A lower incident response time indicates efficient incident management processes.
Getting ready for NIS 2
CloudClevr can support you with your path to NIS 2 compliance. We can carry out a detailed gap analysis, identifying whether you fall under the NIS directive, evaluating risks, implementing security measures based on the NIS 2 requirements, and ensuring compliance. We can also work with you to build a strategic roadmap aligning with key stakeholders to address any issues identified in the analysis.
Supporting this process alongside our practice experts will be Clevr360, our platform that helps improve security and assurance by providing a unified view of your technology estate. It will help provide clear, actionable dashboards to track your vital KPIs like the ones discussed in this article.
Its regular monitoring and analysis of these indicators can help identify and evidence areas of improvement and demonstrate your organisation’s commitment to increasing your cyber resilience and legal accountability.
To find out more about how we can support you with NIS 2 compliance, contact us today. With only a few months to go, every day counts in getting your organisation ready.
