NIS2 impacts UK companies providing services to the EU & the Cyber Security and Resilience Bill, introduced in the King’s Speech, mean companies have to act
By Steve Harris, CEO, CloudClevr
UK companies should not be under any misapprehension that NIS2 will not impact them. Due to come into force on the 17th October 2024, any UK company providing essential of important services to the EU will be affected.
Even if they are not impacted by NIS2, the Cyber Security and Resilience Bill introduced in the recent King’s Speech, certainly will. Although details remain a little thin, the Bill is likely to set similar requirements to the EU regulations such as NIS2 and DORA.
Therefore, ensuring resilience in the face of a cyber-attack or other IT incident has to become a priority for UK companies to protect data, and ensure business continuity and regulatory compliance.
What do these new regulations cover?
The NIS2 Directive is a legislative act that aims to achieve a high level of cybersecurity across the EU.
The original NIS directive was intended to improve cybersecurity for EU member states, however, there were problems with its implementation. The ever-changing threat landscape and the increasingly sophisticated nature of cyber-attacks have meant that the EU has had to introduce NIS2
The Cyber Bill, introduced in the King’s Speech, is likely, once published follow a similar approach to that taken by NIS2. It will increase the emphasis on protecting critical national infrastructure such as the NHS and other key utilities. This will mean that organisations will be under stricter security requirements and be under more regular and stringent assessments. Regulators will be given greater powers and there is likely to be a particular focus on the threat emanating from supply chains.
How do companies get ready for these new regulatory requirements?
Worryingly, it’s estimated that 58% of third-party suppliers (of 50 to 1000 employees) are not ready for NIS2 compliance. It is, therefore, vital that organisations move fast to boost their security posture.
Helpfully, NIS2 stipulates a number of key areas where organisations must be compliant.
- Duty of care. You must carry out a risk assessment. Based on this risk assessment you should take measures to guarantee business continuity as much as possible and protect the information used.
- Duty to report. Where incidents might disrupt the provision of essential services, you have the duty to report incidents to the supervising authority within 24 hours. Whether an incident is subject to the duty to report depends on several factors such as the number affected, the duration of the disruption, and the potential financial losses.
- Supervision. Organisations in some sectors covered by the NIS2 directive will be under supervision. The supervisory body will look at compliance with the obligations of the directive, such as the duty of care and the duty to report.
To ensure compliance with these areas, it’s imperative for board-level reporting to encompass a comprehensive set of strategic key performance indicators (KPIs). Organisations that are more mature in their compliance structure may also look at Key Risk Indicators (KRIs).
These metrics serve as essential tools to assess risk and provide evidence to the board about the organisation’s compliance, as well as carry out assurance of critical third-party suppliers.
These are likely to be critical in the UK’s own Cyber Bill thus killing two birds with one stone.
Examples of useful KPIs
On the KPI side, metrics that can support demonstration of NIS2 and Cyber Bill compliance include:
- Number of security incidents. Measure the number of security incidents and breaches that have occurred within a specific period. A low number of incidents indicates effective security measures and compliance.
- Patch management compliance. Measure the organisation’s adherence to timely patch management. It assesses the percentage of critical vulnerabilities patched within a specified timeframe, indicating proactive security maintenance and compliance.
- Employee training completion rate. Track the percentage of employees who have completed mandatory cybersecurity training. A high completion rate indicates a culture of security awareness and compliance with training requirements.
- Third-Party threat assessment. Evaluate the frequency and comprehensiveness of third-party risk assessments conducted by the organisation. Measure the percentage of critical third-party vendors assessed for cybersecurity risks and ensure compliance with supply chain security requirements.
- Incident response time. Measure the time it takes for the organisation to respond to and resolve security incidents. A lower incident response time indicates efficient incident management processes.
Getting ready for compliance
Although the UK Cyber Bill is likely to be a year or so off being implemented, NIS2 is due in just a couple of months. Either way, companies have to be ready to comply and should not delay their journey to adherence.
Third-party consultancies can support organisations with their path to compliance. Some can carry out detailed gap analysis, identifying whether you fall under the NIS2 directive, evaluating risks, implementing security measures based on the NIS2 and likely Cyber Bill requirements, and ensuring compliance. They can also work with you to build a strategic roadmap aligning with key stakeholders to address any issues identified in the analysis.
Also implementing solutions and platforms that can help improve security and assurance by providing a unified view of technology estates can offer a crucial accompaniment to a consultancy’s offering. It can help provide clear, actionable dashboards to track your vital KPIs like the ones discussed above.
Its regular monitoring and analysis of these indicators can help identify and evidence areas of improvement and demonstrate your organisation’s commitment to increasing your cyber resilience and legal accountability.
With the imminent introduction of NIS2 and the likely introduction of the Cyber Bill in the UK, companies have to take steps to ensure resilience in the face of a cyber-attack and to up the level of their defences. If they have not been persuaded by the increase in the number and level of sophistication of these attacks, then the introduction of regulations, that are to be monitored more comprehensively than previously introduced regulations, should be the prompt to take action.
Whilst, on the face of it, for some this seems a daunting task, bringing in expert consultancies as well as platforms that will allow you to better record and monitor your cyber defences will not only ensure adherence, but most importantly keep cybercriminals out, data safe and businesses to continue as usual.