91̽»¨

Navigating NIS2 – considerations for businesses

15 August 2024

In January 2023, the European Union adopted a new version of the Network and Information Security Directive (NIS2), setting out four overarching control areas of risk management, corporate accountability, reporting obligations and business continuity. It also includes the addition of 10 minimum measures to implement an effective cybersecurity baseline. The aim of NIS2 is to increase the level of cybersecurity and resilience within critical organisations and their entire network of interconnected systems, including third parties across the European Union. The directive is set to be transposed into the national laws of member states by 17 October 2024. 

Although the UK is not directly implementing NIS2, businesses that operate across the EU or are suppliers of businesses that fall under its scope are likely to see requirements being passed on to them. Additionally, we expect the UK will seek adequacy against NIS2 and will make changes to existing cybersecurity laws. These changes may include expanding the scope of applicable industries, broadening the scope of managed service provider services, incorporating more supply chain security-related policies and increasing incident reporting obligations. 

NIS2 applicability

NIS2 applies to all entities providing essential or important services to the European economy and society, including both companies and suppliers.

Essential Entities 

(varies by sector, but generally 250 employees, annual turnover of €50m or balance sheet of €43m)

 Important Entities

(varies by sector, but generally 50 employees, annual turnover of €10m or balance sheet of €10m)
 Energy  Postal services
 Transport  Waste management
 Finance  Chemicals
 Public administration  Research
 Health  Foods
 Space  Manufacturing (eg medical devices and other equipment)
 Water supply (drinking and wastewater)  Digital providers (eg social networks, search engines, and online marketplaces)
 Digital infrastructure (eg cloud computing service providers and ICT management)  All sectors under ‘essential entities’ and within the size threshold for ‘important entities’

Supervision

To ensure compliance with NIS2, competent authorities will have new powers. These include:

  • conducting on-site inspections and off-site supervision, which could also include random checks;
  • ad hoc, regular and targeted security audits;
  • security scans; and
  • requests for information and access to data and evidence of implementation of cyber security policies.

Penalties

The requirements vary based on an entity’s designation, but regardless, the penalties for non-compliance are severe.

  • Directors and management can be held personally liable for failures in implementation, with various offences attracting criminal penalties including fines and/or possible imprisonment.
  • Fines can reach up to €10m or 2% of total turnover (for essential entities) or €7m or 1.4% of total turnover (for important entities).
  • Regulators may suspend business operations if necessary for network security.

How we can help

Applicable organisations must take steps to prepare for compliance. Below are the steps we can assist you with.

  • Implementation plan
  • Organisation assessment
  • Self-reporting mechanisms

Implementation plan

We will assess if your organisation is in scope, your relevant designation (essential or important) and your current readiness to achieve compliance. This includes:

  • a scope review identifying the applicability of NIS2 and your organisation’s obligations; and
  • an assessment of the impact of NIS2 on your current cybersecurity framework and control environment.

Organisation assessment

We will create an implementation plan against the directive’s requirements and support you in executing remediation to achieve compliance, including:

  • development of a prioritised cybersecurity control implementation plan and strategy to address identified gaps and cybersecurity risks;
  • creation of cyber policies, cyber incident response plans and cyber incident reporting processes;
  • creation of third-party risk management frameworks and assessment of your third-party’s cybersecurity provisions; and
  • development of cybersecurity governance structures, ways of working and a defined approach for cybersecurity oversight.

Self-reporting mechanisms

We will continue to support you by developing self-reporting mechanisms to track compliance, provide assurance through independent reviews and monitor NIS2 changes and interpretations from member states. This includes:

  • defining Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), metrics and reporting structures to track continuous compliance;
  • developing an internal audit plan for ongoing compliance assurance; and
  • advisory services to support you in understanding and achieving compliance with the intertwined cybersecurity legislative landscape.
If you would like further information on any of the topics discussed above, please contact Stuart Leach, Sheila Pancholi or your usual 91̽»¨contact.
stuart-leach
Stuart Leach
Partner
Contact Stuart Leach +44 (0)1908 687800
Sheila Pancholi
Sheila Pancholi
Partner
Contact Sheila Pancholi +44 (0)7811 361638
stuart-leach
Stuart Leach
Partner
Contact Stuart Leach +44 (0)1908 687800
Sheila Pancholi
Sheila Pancholi
Partner
Contact Sheila Pancholi +44 (0)7811 361638
Services

Cyber Security

Our latest report reveals how middle market businesses are navigating cyber security threats.
Explore our Cyber security insights

Related insights

UK housing tracker outlook - Q3 2024

Kelly  Boorman
14 Nov 2024

What buyers and investors look for: healthcare

James Carnegie, Ed Rozwadowski
12 Nov 2024

What buyers and investors look for: industrials

John Bryant, Phil Parkes
12 Nov 2024

What buyers and investors look for: consumer markets

Gemma Legg, Gemma Heaven
12 Nov 2024

What buyers and investors look for: technology

Nick Wyatt, Clodagh Tunney
12 Nov 2024

What buyers and investors look for: financial services

Natalie Ord, Angela Toner
12 Nov 2024