The tech regulatory landscape is constantly evolving, with the imminent Network and Information Security 2 Directive, more widely known as NIS2, that aims to enhance cybersecurity and resilience across the EU. EU Member States have until 17th October 2024 to transpose the NIS2 security requirements into national law.
The Directive, which has come about in response to increasing digital threats and the rise in cyber-attacks, aims to enhance security requirements, address supply chain security, streamline reporting obligations, and implement stricter supervisory measures and enforcement standards, including harmonised consequences for non-compliance across the EU.
While the UK is not implementing NIS2, since it’s no longer bound by EU legislation, UK businesses that operate essential services within the EU, will need to comply and should start preparing now to implement the comprehensive measures. Such UK companies which fall under the scope of the directive, may face sanctions by the authority in the member state where they register their representative.
UK businesses who are operators of essential services solely within the UK, however, should also be fully up-to-speed of the new requirements, as although the UK will not be implementing EU NIS2, it is planning to update its information security legislation with similar requirements. These include regulation of managed services providers, and a two-tier supervisory regime – with proposed UK NIS reforms outlined in the government’s whitepaper.
In light of this, here I offer an overview of the NIS2, with advice on how businesses can prepare. I will discuss the critical role of encryption in meeting many of the Directive’s stringent requirements and ensuring robust data protection.
Understanding which sectors need to comply with NIS2 is essential for UK businesses, especially those working with or providing services to EU-based organisations. While UK companies may not be directly subject to the Directive, industries that interact with critical infrastructure and essential services within the EU will increasingly be required to provide NIS2-specific documentation, such as risk analyses and security compliance reports. For UK businesses, staying informed about which sectors are affected allows them to offer relevant solutions, ensuring they remain competitive in the EU market by meeting regulatory demands and maintaining strong partnerships.
The NIS2 Directive eliminates the distinction between the operators of essential services and digital service providers. It classifies organisations into essential and important entities including sectors, which were not covered under the first NIS Directive, such as postal services and public administration.
Essential entities include sectors such as energy, transport, banking, health, and digital infrastructure. Important entities cover postal services, waste management, chemicals, food, and digital providers. By introducing a clear company size threshold, NIS2 applies to medium and large companies in these sectors, with stricter oversight, tougher enforcement, and higher fines for non-compliance than those outlined in its predecessor.
- Implement cryptography and encryption methods to protect data: Organisations should use encryption methods to protect data, ensuring it remains unreadable to unauthorised individuals and meets robust security standards. The gold standard is zero-knowledge, end-to-end encryption (E2EE). Data is encrypted on the sender’s device and only decrypted on the recipient’s device, with the service provider having no access to the content and the encryption keys. Encryption is crucial both internally and for external communications, ensuring secure email and data sharing throughout the supply chain, which leads aptly on to requirement number two.
- Ensure data protection across supply chains: It’s crucial to maintain strong cyber security practices not just internally, but also when sharing data with suppliers and contractors, ensuring all collaborative tools safeguard digital assets.
- Prepare for cyber security incidents: Businesses must develop a comprehensive response plan for data breaches and incidents. High-security cloud solutions that limit access to sensitive information during an incident could play a vital role in this.
- Maintain business continuity: Organisations must implement disaster recovery and backup solutions to ensure operations can continue during a crisis. This is crucial as business disruptions to those managing critical resources like water supply and healthcare can have serious consequences on a broader community.
- Share vulnerability information securely: NIS2 emphasises the importance of sharing information about system vulnerabilities with relevant authorities and third parties if needed. While collaboration is key to reducing cyber risks, sharing details about system vulnerabilities requires the utmost security. An end-to-end encrypted collaboration platform could help facilitate compliance with this requirement
- Enforce cyber hygiene: It’s vital to provide regular cyber security training for all employees and ensure that cyber security tools are user-friendly to prevent bypassing security protocols.
- Implement access control and asset management: Accurate records of all hardware and software should be maintained, and only authorised employees should have access to these assets to protect sensitive data.
- Develop an IT security maintenance strategy: Organisations must regularly update IT infrastructure and ensure any new software or digital platforms are frequently patched and updated to combat evolving cyber threats.
Cloud collaboration tools that provide zero-knowledge end-to-end (E2E) encryption across all platforms, help businesses to comply with NIS2 and maintain productivity by:
- Offering ultimate protection for data: Thanks to E2E encryption, all files are encrypted with unique keys, ensuring that only authorised users can access them, even if servers are breached.
- Securing access: Organisations can control which devices and locations can access files, manage permissions at a granular level, and limit or revoke access as needed.
- Enforcing security policies: Organisations can implement and manage security measures like 2-step verification and IP filtering through a unified interface.
- Encrypting email attachments: Enabling businesses to seamlessly integrate with Gmail and Outlook to automatically encrypt email attachments and replace them with secure share links using existing email accounts.
As NIS2 approaches, UK businesses operating in the EU should enhance their cyber security capabilities by preparing for compliance with its cyber security standards. Adopting end-to-end encrypted document collaboration tools will be crucial. Although the UK is not implementing NIS2, preparing for similar local cyber security laws and focusing on robust encryption and risk management will strengthen security and ensure compliance.