News + Resources

Version 2 of the Network and Information Systems Regulations (NISR) comes into force in the EU on or around 17 October 2024. These are not just tweaks to the existing NIS regulations. Companies need to take a good look at the requirements to ensure that should the worst happen, the regulators do not come after them both as companies and directors.  Check out our earlier post in the resources section of our website for more detail (article of 12^th December 2022  – The EU’s Network and Information Systems Directive 2.0: Wider, deeper and looking for blood.)   It is happening:  are companies acting fast enough to be ready? 

Detail 

Version 2 of the NISR legislation requires EU member states to significantly upgrade their cyber security and to enforce these regulations more effectively. These new measures should be adopted, published and applied from 18 October 2024. 

Transportation is one of those infrastructure sectors covered by the new strengthened regulations. The key issue is that all companies of more than 50 people or €10 million income are affected, and that their management bodies need to approve the measures taken to combat cyber risk, oversee the implementation of those measures and be held accountable for their violation. They will need to engage in training regularly as will their employees. An important proviso is that this is applicable to “essential and important” companies in the transportation sector: this means companies that are responsible for the import or export of strategic quantities of raw materials, food and other life-sustaining products and/or people – including tourism. 

The NISR’s scope has increased to include not only the companies that provide the important or essential services but also their key suppliers including IT suppliers. Management liabilities are specified, the regulations identify how control should be effected and how breaches should be reported. Failure to comply or to report breaches in a timely manner could render personal assets of directors liable or vulnerable. 

Critically the regulations will be impacted by the extent to which they are enforced and which organisations are included as important and/or essential. The thresholds of both revenue and numbers of employed are such that it will be hard to avoid inclusion in the shipping sector particularly. It remains to be seen whether companies domiciled in one country but flagging their vessels outside the EU will be affected in the same way as companies that are purely terrestrial. 

Conclusion 

These changes engage management far more heavily in the cyber security posture of their enterprise. Time will tell how far member states are prepared to go to enforce their own rules and act against their own companies.  It will take more than just a regulatory change to drive through the necessary improvements: unless and until countries are prepared to sanction their own organisations in cases where flagrant breaches have occurred, the regulations may only have a marginal effect. If the European Commission is prepared to pursue organisations and their suppliers in cases where large amounts of personal data have been compromised, or strategic services have been rendered unavailable, then we might start to see the ground shift.  

Cyber security is a marathon, not a sprint.  We all know this.  Companies are at different levels of readiness. There is less head-in-the sand; but there is still some complacency.  We stand ready to help all our friends and customers meet these challenges, both in terms of risk transfer and risk management activity. We believe there is great utility in understanding where breaches have occurred, why and sharing that experience, but we would hope that all our prospective customers will seek to reduce the unnecessary costs of dealing with breaches by taking appropriate measures upfront. The cost of prevention is puny compared to the cost of remediation. To the extent that it is possible, national authorities across Europe should be engaging with the key sectors in their economies to make sure that breaches do not happen or if they do happen, are limited in scale. Too much money is being leached out of the system post breach whether by ransom demands or the costs of remediation. The ha’porth of tar applied before a voyage really does protect the ship. 

As always, we are here if you wish to discuss the above or any other cyber related topic.