31 October 2024

The EU’s new Network and Information Security Directive (NIS2) came into force on 17 October – and while not directly applicable to UK enterprises, its impact will still be felt.

Building on the original 2016 directive, NIS2 expands across critical sectors including energy, healthcare, transport and digital infrastructure and introduces stricter requirements for organisations classified as either ‘essential’ or ‘important’ entities. Key provisions include mandatory risk assessments, enhanced supply chain security measures and a robust incident reporting process. With its implementation, organisations with more than 50 employees or an annual turnover exceeding €10 million are now required to improve their security measures.

This scope will require a significant number of UK organisations with EU connections to assess their compliance to avoid disruption with European partners, particularly since the EU remains the UK’s most important trading partner, accounting for 42% of UK exports and 52% of imports.

“Many more UK organisations than you might expect collaborate with European partners. UK organisations must act swiftly to determine if the NIS2 Directive applies to their operations,” reports Keith Poyser, Vice President for EMEA at Horizon3.ai.

Ernst & Young highlights that a key difference between NIS2 and its predecessor is the introduction of personal accountability - in the case of UK companies, this could separate them from their EU partners.

“Take a British cloud provider serving customers in France. If they do not comply with NIS2 standards and a breach occurs, the executives of the French company face significant fines. This could lead to substantial business losses for British firms that have not addressed NIS2. British executives need to improve their compliance now to avoid these serious risks,” explains Poyser.

So what actions can UK IT teams take to ensure compliance and retain EU-business?

“Identity Security is going to take centre stage from a compliance point of view here, as it involves constantly checking and authorising both internal and external users, following Zero Trust principles,” says David Higgins, Senior Director, Field Technology Office at CyberArk. “This is especially important since organisations have to protect a huge network of threats under NIS2, including subcontractors and service providers. Companies also need to tick off important NIS2 Article 21 requirements related to handling and reporting incidents. Having a solid Identity Security strategy is important here, to not only protect vital infrastructure against those inevitable future attacks, but also to track and manage the handling of critical information in real-time.”

Meanwhile, Bart Salaets, Field CTO EMEA at F5, says that “to navigate the legislation, organisations should create centralised visibility and unified reporting across security platforms. The need for integrated solutions and sophisticated reporting tools - potentially AI-driven - will be essential in helping organisations meet their reporting obligations under NIS2.”

It’s not all doom and gloom though – with the stricter new regulations comes an opportunity for some of the UK’s best and brightest to expand their business with European partners.

“Implementing the required changes will not only ensure organisations are attractive business partners and avoid unwelcome fines and negative publicity, but it will also bring new opportunities to enhance cyber resilience and overall security posture,” says Simon Fisher, Senior Advisory Services Consultant, Orange Cyberdefense. “With finances remaining tight – especially in advance of the UK government’s upcoming budget – IT and security leaders should use these regulations to reiterate the importance of cybersecurity and compliance to the board. This should help them unlock additional budget to stay ahead of the incoming regulations by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance.”