How Do The UK Cyber Security & Resilience Bill & The EU's NIS2 Compare?

Uploaded on 2024-10-30 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law

The  British government's Cyber Security and Resilience Bill proposed in the King’s Speech is widely regarded as a much needed update to the Network and Information Systems (NIS) regulations and seen as the UK equivalent to the European Union (EU) NIS2.

It follows a review of the NIS regulations conducted two years ago and is described as an “urgent update” following the discovery that only just over half of operators of essential services have updated or strengthened existing policies and processes since the inception of NIS in 2018. However, the Bill differs from NIS2 in a number of ways.

Admittedly, the two do have similar aims. The Bill intends to strengthen the UK’s cyber defences by expanding the remit to include more digital services and their respective supply chains and by mandating increased incident reporting. This will ensure the government can keep abreast of trends by mandating disclosure of things like ransomware attacks. 

NIS2 will also apply to far more organisations, adding ‘important’ to ‘essential’ entities which is expected to see over 160,000 brought in scope, across over 17 verticals compared to the seven under NIS. Its aim is to improve the resilience of the EU through more timely incident reporting (an early warning must be made within 24 hours of a significant incident) which will facilitate the sharing of threat intelligence between member states. In this respect, NIS2 has been far more specific over who will be affected.

What’s Required?

We don’t yet know what demands the Bill will make in terms of processes and controls, but NIS2 states that both management bodies and employees will have to undergo security training on a regular basis to “identify risks and assess cybersecurity risk-management practices and their impact on the services”.

They’ll also have to implement technical, operational and organisational measures to manage those risks and to prevent and minimise the impact from their realisation.

Article 21 proceeds to name measures which include, for instance, risk management policies, business continuity/disaster recovery, system acquisition and maintenance, cyber hygiene, cryptography and encryption, and MFA.

When it comes to accountability and enforcement, NIS2 is also very clear on the potential repercussions of non-compliance. Senior management personnel can be held personally accountable and suspended from duty and regulators have a series of actions they can take to ensure compliance.

These range from warnings and ‘cease and desist’ orders, to requirements to meet certain risk management remedial obligations in a specified timeframe, to on-site inspections and targeted security audits (to be carried out by a third party and charged back to the entity), for example. There are also some hefty fines of a maximum of 10m Euros or 2% of worldwide annual turnover, whichever is higher, for essential entities and 7m Euros or 1.4% of worldwide annual turnover, whichever is higher, for important ones. 

The UK Bill has yet to unveil its punitive measures or whether board level personnel could potentially be implicated, although the latter is a general direction of travel seen globally. In the US we saw the SEC make board members accountable last July, for instance, when it revised its cyber incident disclosure processes.

The Implications For UK Businesses

Those organisations that do business in or with those based on the continent can expect to have to meet both sets of regulations and so will need to seek harmonisation where they can to reduce costs and complexity. There are already concerns that NIS2 will prove expensive, with medium-sized businesses newly within scope likely to experience the most upheaval. But the regulations also provide an opportunity to level the cyber security posture of these nations on an unprecedented scale. In doing so, they will drive down risk and the likelihood of economic disruption.

To both conserve spend and reap the maximum benefits from the process, organisations should therefore seek to look to streamline their compliance. This can be achieved by looking for overlap with other regulations and frameworks, such as ISO27001 and ISO22301, IEC62433, and the CIS critical controls. Many of these, in common with NIS2, compel the entity to implement an information security management system (ISMS), for instance, which is a management approach that governs people, process and technology. 

In keeping with the ISMS, the entity can put in place a Security Incident and Event Management (SIEM) to meet many of the demands of the regulations with respect to threat detection and response. Some SIEM also come with compliance management features that are specifically tuned to fulfil NIS2 and generate audit trails and reports to demonstrate compliance. 

How closely the UK Bill decides to mirror NIS2 remains to be seen but the impetus worldwide would seem to indicate we can expect the regulations to be more wide ranging, for the board to be accountable, and for incident reporting to be much more instantaneous.

All of these requirements will demand businesses implement far more rigorous processes regardless of which side of the channel they reside upon.

Innes Muir is Regional Manager at Logpoint

Image: Ideogram

You Might Also Read: 

Six Steps On The Road To NIS2 Compliance:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 

« What Security Teams Need To Know About The EU’s NIS 2 Directive
Making Insider Threats A Year Round Priority »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Globalscape

Globalscape

Globalscape is a leader in secure data exchange solutions.

PhishLabs

PhishLabs

PhishLabs provides 24/7 services that help organizations protect against the cyberattacks targeting their employees, their customers and their brands.

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA) offer commercial insurance services including Cyber Liability insurance.

SCIPP International

SCIPP International

SCIPP’s courses are based on internationally recognized best business practices for security awareness, for both technical and non-technical staff and to comply with regulatory mandates.

National Center for Manufacturing Sciences (NCMS) - USA

National Center for Manufacturing Sciences (NCMS) - USA

NCMS is a cross-industry technology development consortium, dedicated to improving the competitiveness of the US industrial base. Strategic initiatives include industrial cyber security.

Inspirria Cloudtech

Inspirria Cloudtech

Inspirria Cloudtech is a specialized Cloud Technologies Services provider and Cloud Aggregator focused on executing cloud models for clients.

ISA Global Cybersecurity Alliance (ISAGCA)

ISA Global Cybersecurity Alliance (ISAGCA)

ISAGCA is a collaborative forum to advance OT cybersecurity awareness, education, readiness, and knowledge sharing.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

Aristi Technologies

Aristi Technologies

Aristi provides cybersecurity risk and compliance services to help manage your unique cyber risks, safeguarding your systems and data and complying with government and industry standards.

Kordia

Kordia

Kordia is a leading provider of mission-critical technology solutions throughout Australasia. We have the most comprehensive cyber security offering in New Zealand.

Visory

Visory

Great businesses depend on great technology. We make sure our clients go to market with enterprise-level technology and world-class security for their data and infrastructure.

Emerge Digital

Emerge Digital

Emerge Digital is a technology and digital innovation business and Managed Services Provider providing solutions to SMEs.

ZainTech

ZainTech

Zaintech is a regional digital & ICT solutions provider offering comprehensive digital solutions and services to enterprise and government customers in the MENA region.

RightCue Assurance

RightCue Assurance

RightCue Assurance identify opportunities for improvement in the Information Security for your organisation and work with you to reduce cyber risk.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.

Windstream

Windstream

Windstream is a leading provider of advanced network communications and technology solutions for consumers, small businesses, enterprise organizations and carrier partners across the US.