NIS2 - Why early compliance is essential

NIS regulations are nothing new for UK businesses. 

Short for Network & Information Systems, NIS in its current form first came into force in May 2018 following the EU’s 2016 NIS Directive, with the aim of better protecting essential services from online attacks.

However, it now seems that the scope and terms of NIS are soon set to change.

The EU recently announced that its own NIS regulations will be tightened in October 2024, introducing stricter rules and reporting requirements alongside higher sanctions for compliance failures.

As a result of Brexit, this legislation will only apply to businesses that have links to or subsidiaries within an EU country. However, that is not to say that UK firms are sitting pretty, with a new UK version of the rules likely to be introduced very soon. 

In November 2022, UK Cyber minister Julia Lopez said: “We are strengthening the UK’s cyber laws against digital threats. This will better protect our essential and digital services and the outsourced IT providers which keep them running.”

And more recently, in January, the UK Government stated that “the NIS regulations will be updated as soon as Parliamentary times allows”.

What will NIS2 cover?

It’s relatively safe to assume that the UK’s own NIS update will be similar to the EU’s latest directive (NIS2), which has three key objectives:

1. To increase the cyber resilience of organisations in sectors which provide essential services.
2. To reduce inconsistencies in resilience among organisations already covered by the directive.
3. To improve collective awareness, trust and capabilities through avenues such as information sharing, and the setting of distinct measures to be followed in the event of incidents.

Achieving these objectives will involve several key changes. 

NIS2 will place greater emphasis on the security of supply chains and supplier relationships, as well as providing guidance on everything from incident handling, business continuity and crisis management procedures to more technical measures such as multi-factor authentication and encryption. 

Further, many sectors not currently covered by NIS will be pulled into the regulations, including ICT service management, postal and courier services, and waste management. 

Preparing for NIS2 with PAM

These impending changes cannot be ignored. CISOs who assume their organisation won’t fall under the scope of NIS2 could find themselves on the back foot, potentially resulting in severe non-compliance penalties.

In the case of EU NIS2, fines could be as high as €10 million or 2% of global turnover. In the UK, meanwhile, organisations already under the scope of NIS can be fined £17 million for non-compliance.

Of course, NIS2 won’t come into enforcement until October 2024, while the UK’s own version is yet to be formally announced. However, business leaders can benefit from getting ahead of the game and proactively embracing the essentials of compliance.

So, how exactly can organisations begin to align with the requirements of NIS2?

Embracing effective privileged access management (PAM) should be the first port of call, providing a variety of benefits by monitoring, detecting and preventing unauthorised access to critical organisational resources. The use of “access management, and automated access decisions, should be promoted” to safeguard public electronic communications.

Notably, there are a few key areas the NIS2 directive points to relating to privileged access security and endpoint management. In Chapter 49, for example, it reads states that cyber hygiene policies comprising a common baseline set of practices, including the limitation of administrator-level access accounts enable a proactive framework of preparedness and overall safety and security in the event of incidents or cyber threats.

Indeed, where staff workstations are often the key point of attack for cyber criminals, PAM can be used to manage endpoints effectively, ensuring users can’t install malicious applications. Further, the risk of attacks can also be reduced through isolating sessions, managing credentials, enabling just-in-time access and instilling key features such as secure MFA and session recording/audits.

PAM can also be used to spot suspicious activity on a network, limit the number of administrator-level access accounts, and even prevent the loss of back-ups in the event of a ransomware attack. In this sense, it is an effective way for organisations to align NIS2 criteria, enabling compliance and enhancing the security posture of essential service providers with ease.