What do new Cyber Laws mean for your organisation?

On 1^st April the UK government issued a policy statement on the proposed Cyber Security and Resilience Bill. The Bill is intended to be the UK equivalent of the European Union’s Network and Information Security Directive (NIS2) which came into effect in on 17^th October 2024, subject to the enactment of domestic legislation in member states.

The aim of NIS2 was to build on the existing NIS1 framework to achieve a high level of cybersecurity resilience across the European Union in a number of ‘critical’ sectors. In doing so, it introduces a number of enhanced obligations as well as penalties for non-compliance.

In this article we explore the key implications of these new cyber security laws for organisations as well as examining any practical cybersecurity considerations.

Legislative Approaches

Cyber Security and Resilience Bill

Despite the UK no longer being an EU Member State, the newly proposed Cyber Security and Resilience Bill adopts a similar approach to NIS2 Directive and is an attempt to harmonise the approach to cybersecurity in both jurisdictions. The Bill’s focus is on operators of essential services (OESs), relevant digital service providers (RDSPs), and related supply chains. The Bill’s aim is to protect essential digital services, update critical infrastructure and security frameworks, and make supply chains and energy services more secure. Should the proposals be enacted, the Bill is set to take on a flexible and strategic approach allowing the government to be proportionately responsive to cyber threats in a to balance the impact on business whilst also striving to align with the approach adopted in NIS2.

While the UK Bill is unlikely to come into force until late 2025, those UK-based organisations who have operations in the EU should already be considering whether they currently come within scope of domestic iterations of NIS2 in EU Member States in which they are active. In the Republic of Ireland, for example, impacted organisations await the transposition of NIS2 in the form of the National Cyber Security Bill 2024. Although the 2024 general election in Ireland delayed the implementation of the Bill; organisations who fall within the Bill’s scope should be actively preparing for its implementation.

Key Cybersecurity Implications

Scope: The new laws expand upon the scope of the previous NIS1 Directive by adding new sectors based on their degree of digitalisation and how critical they are for society and economies. Clear size thresholds have also been introduced so that all medium and large-sized organisations in selected sectors (including the public sector) will be in scope.

Regulatory supervision: NIS2 sets out new powers of supervision that competent authorities must have, including powers to conduct on-site inspections, off-site supervision, random checks, regular and targeted security audits, ad hoc audits, security scans, requests for information, access to data and evidence of implementation of cybersecurity policies.

Enforcement and fines: NIS2 also sets out new powers of enforcement for competent authorities. Most significant is the introduction of administrative fines that can be imposed on entities if they breach certain requirements ranging between 1.4% to 2% of annual worldwide turnover to up to €10,000,000.

Practical Considerations for Organisations

Are you within the scope? The extended scope of sectors covered under NIS2 include telecommunications, public administration, and the food supply chain. If your organisation has over 50 employees or an annual turnover of €10 million it may be impacted by NIS2. A list of the extended scope of sectors included under NIS2 can be found under Annex 1 and 2 of: Directive (EU) 2022/2555 of the European Parliament and of the Council.

What about personal responsibility? NIS2 introduces personal responsibility for members of management of essential and important entities for failure to comply with cybersecurity risk management requirements. In certain circumstances, a competent authority may, in respect of essential entities only, require the temporary prohibition of a person responsible for discharging managerial responsibilities at CEO or legal representative level from exercising managerial functions.

Have you considered your risk management strategies? NIS2 strengthens and streamlines security and reporting requirements for organisations by emphasising a risk management approach. It sets out a minimum list of basic security considerations that must be implemented including policies on risk analysis and information system security, incident handling, business continuity and supply chain security. Organisations should conduct continuous risk assessments, threat modelling, and implement security measures that address identified risks to ensure your risk management practices are dynamic and responsive to emerging threats.

Has there been any changes to incident reporting mechanisms? NIS2 also introduces strict rules on the process for incident reporting, content of the reports and timelines. Notably, organisations must now notify the relevant competent authorities within 24 hours of becoming aware of a significant incident, a substantial reduction from the previous 72-hour window.

With cybersecurity becoming increasingly important to all organisations regardless of the goods or services they provide, the newly developed NIS2 framework is a significant development. Irrespective of whether your organisation operates across multiple jurisdictions, you should carefully consider the potential applicability of NIS2 (or similar frameworks such as the proposed UK Cyber Security and Resilience Bill) to your organisation and assess future steps in navigating your roadmap to cybersecurity compliance.

If you would like any further information or advice on this matter, please contact Laura Cunningham, Head of Data Protection and Information Law.

*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.