UK NIS and critical national infrastructure updates
The UK government recently created a page on the new Cybersecurity and Resilience Bill updating the Network and Information Systems (NIS) Regulations 2018. There is no draft of the bill available yet, but it is confirmed the Bill will cover five sectors (transport, energy, drinking water, health, and digital infrastructure) and digital services (online marketplaces, online search engines, and cloud computing services). It will add obligations on cyber incident reporting and expand to include cybersecurity risk in the supply chains. There will be at least twelve regulators in the UK responsible for implementing the updated NIS Regulations and they will be given greater powers. The Bill will be introduced to Parliament in 2025.
At present, the cybersecurity risks in the supply chain are managed via a government-backed cybersecurity certification scheme called Cyber Essentials (based on self-assessment) and Cyber Essentials Plus (assessed by a third party). It is a voluntary scheme and is not restricted to a specific industry. Cyber Essentials or Cyber Essentials Plus are often a condition for the provision of ICT services to the UK government. ENISA has not included Cyber Essentials in its mapping of NIS2 requirements to international standards and frameworks in its draft NIS2 guidance. The government reported on its ongoing talks with the EU on cybersecurity legal framework which hopefully means there may be further alignment between the two regimes.
When it comes to critical national infrastructure, the UK government’s approach is reflected in the Resilience Framework. The UK government plans to develop critical infrastructure standards by 2030. In the meantime, the UK government appears to focus on industry-specific cybersecurity requirements, for example cybersecurity requirements were set out in the Telecommunications (Security) Act 2021 for entities in telecoms. It has also created the National Protective Security Authority to provide support to critical national infrastructure entities, which at present cover 13 sectors1 (data centres were added as a sub-group in September 2024).
EU NIS2 and CER updates
In the meantime, the EU member states are continuing to implement NIS2 which became enforceable on 18 October this year. Although the progress varies from EU member state to member state, the majority either have implemented the local legislation on NIS2 or published a proposal. In Germany, for example, the current draft is in internal discussion in committees of the German parliament. The latest draft reflects the suggested changes of the committee for home affairs. Certain regulators in EU member states published their own guidelines on the NIS2 regulations and provided a platform for self-reporting for organisations that fall within the scope of NIS2 (e.g. the Italian National Cybersecurity Agency opened an online portal from 1 December 2024).
Organisations are still working on ensuring their compliance with NIS2 requirements and should look into the available guidelines in the EU member state they operate in. There may be more clarity in terms of what is required from service providers in the digital infrastructure and managed security services2 from the European Commission given their cross-border operations. The European Commission’s implementing act provides details on what their policies should look like and sets thresholds for significant incidents for each type of organisation. ENISA published draft guidelines for such organisations in support of the implementing act that is open for consultation until 9 January 2025.
As for the EU Critical Entities Resilience Directive (CER), EU member states were to adopt and publish local implementing acts by 18 October 2024. The CER covers 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, production, processing and distribution of food. EU member state competent authorities are to carry out risk assessments by 17 January 2026 using the list of essential services in the CER and identify critical entities to whom CER will apply by 17 July 2026.
Updates on DORA and the UK Operational Resilience rules.
Cybersecurity requirements for financial entities in the UK and the EU
As for financial entities, they are also working towards compliance with the new cybersecurity compliance rules both in the UK and the EU. In the UK, the operational resilience (usually abbreviated as opres) rules become enforceable by 31 March 2025 whereas the EU Digital Operational Resilience Act (DORA), a sector-specific cybersecurity legislation, will become enforceable on 17 January 2025. Although the two regimes are aimed to achieve the same purpose, they differ in terms of how risk is to be determined and when to notify competent authorities. DORA requirements are clarified in the relevant regulatory and implementing technical standards which are nearly 1000 pages long and are legally binding.
The scope of the UK opres rules is limited to banks, building societies, PRA-designated investment firms, insurers, recognized investment exchanges, enhanced scope senior managers, certification regime firms, firms authorised or registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011, whereas DORA applies to almost all regulated financial entities. Financial entities will continue looking for efficient ways of complying with both regimes if they are present both in the UK and the EU.
Please let us know if you need assistance in identifying whether your services fall within the scope of NIS2 and we can help navigate the plethora of local requirements.
1 Chemicals, civil nuclear, communications (including data centres), defence, emergency services, energy, finance, food, government, health, space, transport, and water.
2 DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, online search engines, and of social networking services platforms, and trust service providers.