On 28th November 2022 the European Union agreed to its next iteration of the Network and Information Systems Regulations (NISR). This new directive (NIS2) is more than a tinkering; it is a significant tightening. The changes are more than cosmetic; the new regulations are broader and deeper; the notification requirements are more stringent; the penalties for delayed reporting or insufficient preparation can be higher – and could involve personal accountability if Boards or individual executives are found culpable. The directive should enter into force by late 2024, subject to transposition into local law. More of the same? Not really. Much more. And soon.
While the basic details of this increasingly stringent piece of legislation are already known, individual member states have 21 months to implement their own versions of this directive. The focus areas are:
– Expansion beyond the concept of ‘critical national infrastructure’ to include any business over 250 staff or 50M€ turnover deemed ‘essential’ or ‘important’. These are listed in the directive;
– Remedies and sanctions (leaving it to the member states to determine the levels)
– More defined / streamlined reporting requirements (24-72 hours)
– Creation of an information sharing network for large-scale cross-border incidents
– Requiring companies to adopt improved risk management; incident response, business continuity and disaster recovery
– Alignment with sector specific legislation including the finance sector (DORA) and critical infrastructure (CER)
– Increased focus on management accountability
The widening of the scope is more significant for two reasons. First, companies who were hoping that they would not be caught in the NISR framework are now, by dint of size, in scope and, if they have anything to do with the 27 member states, will come under increased pressure to up their cyber game. Additionally, companies who provide services to companies now in scope, will find themselves increasingly under scrutiny. This goes to show to all that outsourcing does not transfer reputational risk. It is our contention that suppliers will find their costs increase as they try to price in the additional regulatory risks now facing them – and customers will be loath to pay more to suppliers who should have been doing this anyway. Customers would be well advised to review the contracts they currently have with their supply chain companies to understand who owns which risk – they will find in many cases, particularly for IT Service provision, that their suppliers have sought to transfer all the risk onto their clients.
While the legislation is at pains to try to make these requirements proportionate, it is clear that company management will need to be more involved in the management of cyber risk. The implications that management members might be held personally liable for failures that lead to a breach under this law, are potentially far reaching.
The widening of the coverage of the directive makes sense – reflecting the interconnectedness of everything. There are some definitional questions around essential and important, but the thresholds are clear. It will be especially important that the member states of the EU adopt a reasonably common approach to implementation to avoid opening up gaps and enabling ‘quality arbitrage’ between jurisdictions. Member States must also take a consistent view of enforcement, so that companies do not seek to exploit differences and arrive at a lowest common denominator approach.
The implications of these upgraded regulations may come as a shock to those organisations that thought they had dodged a bullet in the original regulations. Their inclusion is long overdue. This should not be viewed as an opportunity to gouge more money out of their customers: rather, the customers need to start demanding that critical supply chain companies take these regulations seriously and recognise that both customers and suppliers have a clear interest in working together to get this right. Prices may rise but the cost of prevention is far lower than the cost of a cure.