How the NIS2 Directive will impact UK businesses

How the NIS2 Directive will impact UK businesses

The Network and Information Security 2 Directive (NIS2), formally known as Directive (EU) 2022/2555, represents a significant evolution in the European Union’s approach to cybersecurity. Scheduled for implementation by the Member States until October 2024, NIS2 aims to enhance cybersecurity across the EU by broadening the scope of the original NIS Directive (NIS1) and introducing more stringent requirements for businesses.

Although the UK is no longer part of the EU, NIS2 will still have implications for UK businesses, particularly those that operate within or provide services to the European Union. This blog post explores how NIS2 will affect UK businesses and what steps they should take to stay compliant and competitive in this evolving regulatory landscape.

What is NIS2?

NIS2 is the successor to the original NIS Directive, which was implemented to boost the overall cybersecurity posture of critical infrastructure sectors across the EU. The new Directive is designed to address the growing threats associated with digitalization and the increasing frequency and sophistication of cyber-attacks. It introduces enhanced security measures, broader sectoral coverage, and stricter enforcement mechanisms to ensure a more resilient digital environment across Europe.

Key changes introduced by NIS2

Broader scope of application: NIS2 extends the scope of the original Directive by including more sectors and types of organizations. It covers both essential and important entities, ranging from energy, transport, and banking to digital infrastructure, public administration, and even space. This broader scope means that more businesses, including those not previously covered by NIS1, will now be subject to enhanced cybersecurity regulations.

Stricter security requirements: NIS2 mandates more rigorous cybersecurity measures, including incident reporting, supply chain security, and the implementation of robust access controls. The Directive also requires businesses to adopt encryption techniques and ensure continuity of services, even in the event of a cyber incident.

Increased accountability and enforcement: The Directive introduces stricter supervisory measures and harmonized rules across the EU. Businesses that fail to comply with NIS2 requirements could face substantial fines and other penalties. The Directive also places greater emphasis on the accountability of senior management for cybersecurity failures.

Enhanced cross-border collaboration: NIS2 emphasizes the importance of cross-border cooperation in cybersecurity. It encourages EU Member States and affected businesses to work together in sharing information about cyber threats and incidents, ultimately strengthening the collective security of the region.

How NIS2 will affect UK businesses?

Compliance requirements for UK-based businesses operating in the EU: If your business provides services or products within the EU, you have to check if your company meets the requirements of the Directive to be sure if you will fall under the scope of NIS2. If you fall under the scope, you will need to comply with the Directive’s cybersecurity requirements, even if your operations are based in the UK. This includes among others implementing security measures, reporting incidents, and ensuring the protection of supply chains.

Impact on cross-border trade and supply chains: UK businesses that are part of supply chains involving EU partners must ensure that their cybersecurity practices align with NIS2 standards. Failure to do so could jeopardize partnerships, as EU-based organizations may prioritize suppliers that meet the Directive’s requirements.

Harmonized sanctions and legal risks: NIS2 introduces harmonized rules on regulatory supervision and enforcement across the EU, which means that non-compliance could result in significant legal and financial consequences for UK businesses subject to NIS2. These sanctions could include hefty fines, operational restrictions, or even the suspension of activities within the EU market.

Potential influence on UK cybersecurity regulations: While the UK is not obligated to implement NIS2, the Directive’s principles could influence the evolution of UK cybersecurity laws. The UK Government may choose to align its cybersecurity regulations with NIS2 to maintain a competitive edge and facilitate cross-border business with the EU.

The role of encrypted data rooms in NIS2 compliance

To mitigate the impacts of NIS2, UK businesses should take proactive steps to align their cybersecurity practices with the Directive’s requirements. NIS2 requires Member States to implement laws that mandate organizations to take appropriate technical measures to manage the risks posed to the security of network and information systems. These should include the use of cryptography and encryption (NIS2, Article 21, (2)h). While it is up to the Member States to implement NIS2 and lay down the exact requirements in national law, it will likely to be crucial to choose strong encryption, for example end-to-end encryption (E2EE) with a zero-knowledge principle.

Therefore, choosing an end-to-end encrypted data room for collaboration should be vital part of any businesses’ strategy. In this case, even the data room provider cannot access encrypted data and data can leak in unencrypted format only in case of a breach to the provider’s servers.

Encrypted data rooms also facilitate the implementation of two other NIS2 requirements. First, companies must disclose their IT infrastructure vulnerabilities (NIS2 Article 21 (2)e). Ideally, vulnerabilities are discovered during a penetration test, but in the worst case, through a cyberattack. In both scenarios, security gaps often need to be communicated to an external service provider for remediation. Second, incident management (NIS2 Article 21, (2)b) requires not only documenting the resolution of vulnerabilities but also reporting the details of a cyberattack to a Computer Security Incident Response Team (CSIRT) and relevant authorities. This process involves significant risks as companies reveal their largest attack surfaces. Using highly secure, encrypted data rooms for sharing such information is therefore vital and can help mitigate these risks.

Additionally, NIS2 requires companies to establish access control policies (Article 21 (2)i). Virtual data rooms, that offer dedicated access rights management allowing administrators to regulate and document who has downloaded which files, can also help with this requirement.

Furthermore, if companies fall victim to a cyberattack, NIS2 (Article 21, (2)c) requires critical infrastructure companies to guarantee business continuity. An essential part of the recovery strategy is system backups. Virtual data rooms are an ideal storage location for backups, allowing systems to be quickly restored in emergencies. Unlike hardware solutions, virtual data rooms allow access to stored data from anywhere via the cloud.

Cybersecurity beyond NIS2

NIS2 represents a significant shift in the EU’s approach to cybersecurity, with far-reaching implications for businesses both within and outside the EU. For UK businesses, particularly those operating across borders, understanding and preparing for NIS2 is essential to maintaining compliance, safeguarding operations, and staying competitive in a rapidly evolving digital landscape.

By taking proactive steps now, such as using virtual data rooms, UK businesses can not only take a step toward NIS2 compliance, but also enhance their overall data security, efficiency, and external and internal collaboration. However, implementing virtual data rooms alone is insufficient for comprehensive protection. To fully safeguard their business, it's essential for UK businesses to invest in employee training, ensuring that staff are well-informed and prepared to respond effectively in the event of a security incident.

Ready to learn more? Click here to find out how Tresorit can support you on your NIS2 journey!