In a recent update from the Secretary of State for the Department for Science, Innovation and Technology (found here, Cyber security and resilience policy statement – GOV.UK), the UK Government has started to address some of this anticipation, dropping clues as to how the CS&R Bill will look when compared to its European cousin. So, what have we learnt about the Bill and its alignment with NIS2?

Expanded scope

In addition to the current in-scope sectors (energy, transport, health, drinking water supply and distribution, and digital infrastructure, as well as some digital services such as online marketplaces, search engines and cloud computing), the policy statement confirms the intention to bring Managed Service Providers (“MSPs“) within the remit of cyber security regulation, subjecting them to the same duties as ‘relevant digital service providers’ under the current NIS regulations. MSPs (also regulated by NIS2) are B2B services that provide IT systems, infrastructure and network support.

The Government also demonstrated its commitment to bolster supply chain security for operators of essential services (“OES“) and relevant digital service providers (“RDSPs“) that meet certain thresholds. Secondary legislation is intended to be used as a vehicle for imposing stricter duties on contractual requirements, security checks and continuity plans in an effort to target underlying cyber vulnerabilities in supply chains echoing, if not exceeding the requirements of NIS2 to ensure cybersecurity controls extend to the supply chains of in-scope entities. Additionally, regulators will have the power to identify suppliers of critical services (including SMEs) whose disruption could cause significant impacts on the essential/digital service being supplied. These will be classed as “designated critical suppliers” (“DCS“), bringing them within scope of core security requirements and reporting obligations.

While expansion of the UK’s cybersecurity regime to include MSPs and critical supply chains will bring us one step closer to the reforms sweeping EU nations, it is unclear whether the UK will follow Europe in expanding the scope of cyber regulation to include sectors such as public administration entities, space, manufacturing, food production and postal and courier services (to name but a few).

Regulatory reinforcement

Perhaps amongst the measures most easily associable with the CS&R Bill’s European counterpart will be the updated incident reporting criteria. Incidents that are “capable of having a significant impact on the provision of essential or digital services and that significantly affect the confidentiality, availability, and integrity of a system” will need to be reported. This closely follows the requirements found in Art 23 of NIS2, as does the requirement that entities such as data centres and those providing digital services will be obligated to report incidents directly to customers in certain instances.

Equally alike in their resemblance to NIS2 are the reporting deadlines, with the relevant regulator and National Cyber Security Centre (“NCSC“) to be notified of significant incidents within 24 hours, and further incident reports to be provided within 72 hours. As the policy statement makes clear, “in practice [the Government] intends this procedure to be similar to, and no more onerous, than the… NIS2 directive“.

To provide some steer to regulators in their additional duties, the Government aims to issue a code of practice setting out guidance on minimum regulatory requirements which will put the existing NCSC Cyber Assessment Framework (CAF) profiles on a firmer footing and extend their scope to include OES. Particular focus is also given to the UK Information Commissioner (“ICO“) as a national guardian of cyber security, with a raft of seemingly familiar powers relating to registration and notice requirements, information sharing and enforcement, being introduced to support risk identification and mitigation. This all comes with a boost in financial means, as regulators will be able to set fees regimes and recover costs through various measures in order to contribute to financing their increase in regulatory work.

Measures to keep on your radar

Despite not confirming their inclusion in the CS&R Bill, the Government flagged upcoming measures to keep an eye on. Most notable would be the classification of data centres as an essential service, bringing them within scope of the regulatory framework and aligning with NIS2’s approach. This has been contemplated since their designation as Critical National Infrastructure in September 2024 and would aim to strengthen the level of consistency and protection across the sector.

Other contemplated measures include bolstered powers for the Secretary of State, allowing a Statement of Strategic Priorities to be issued as well as powers of direction relating to entities and regulators. Collectively, these would allow the Government to require certain actions be taken to address significant incidents and threats to national security.

Conclusion

In summary, it is clear that the Government’s planned amendments to the current NIS Regulations will make clear and decisive steps to bridge UK cyber laws and the new European NIS2 regime. However, the CS&R Bill does not appear to be following NIS2 in expanding the reach of its reforms to a raft of new industries. While Managed Service Providers are the biggest industry to whom new UK laws will apply, it is likely that many of the industries new to the NIS2 regime – for example food producers and chemicals manufacturers – will remain beyond the UK’s cyber reforms. Only time will tell whether that remains the case when the fully-formed Bill hits the statute books, the timing of which is still unclear.

From the little we do know however, it is evident that the burden and application of cyber regulation together with accompanying cyber certifications and industry standards will only increase, making it more critical than ever that businesses operating in both the UK and beyond continue to focus on enhancing their cyber controls, underpinned by robust cybersecurity governance and equally robust controls on supply chains. Only then can businesses be ready for the inevitable swathe of new cyber regulation hitting UK shores, as well as the very real cyber threat it is all aimed at combatting.

But in the UK, we are not alone in recognising cyber as one of the most significant threats of our age. In the recitals to NIS2, the EU Commission notes that the “number, magnitude, sophistication, frequency and impact of incidents are increasing and present a major threat to the functioning of network and information systems” with the result that they “impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society“. The EU’s response was to enact a bolstered NIS2 which significantly expands the number of entities directly in scope; includes a focus on supply chains; enhances the powers of enforcement and supervision available to local authorities; steps up incident reporting obligations; and imposes ultimate responsibility for compliance at a senior management level. With DORA, the EU adds another layer of regulation, trumping the requirements of NIS2 for the financial services sector.

So how will the UK’s new Bill compare? Our article looking at the initial indications released by Government to try and answer that question is available here.

The arrival of NIS2 is only one year away. With significantly enhanced requirements around cybersecurity management extending across the supply chain, increased reporting obligations in the case of cyber breach, and personal liability for senior management, working out whether or not an organisation will be in scope for NIS2 will be an important question, instigating possible months of preparations if the answer is yes. NIS2 has increased the number and type of sectors to which former NIS1 rules will apply, but the question of NIS2’s application will also depend on an organisation’s size and where it offers its services.

Unpacking the scope and territoriality rules under the NIS2 Directive

One year from now – on 17 October 2024 – the implementation deadline of the second Network and Information Systems (“NIS2”) Directive will be upon us. As the countdown to that deadline begins, many organisations will be looking to determine the all-important question: Are we caught by NIS2?

Having substantially enhanced the cybersecurity obligations on in-scope entities from those found under the first NIS Directive, including enhanced reporting obligations, personal liability for management bodies and broad supply chain impacts, being caught by NIS2 is not a something an organisation can take lightly. For those in scope, preparation will be key to ensuring cyber standards are up to scratch, supply chains are ready and an organisation’s executive can stand by their cybersecurity measures.

What is NIS2?

Part of the EU’s Cybersecurity Strategy, NIS2 repeals and replaces the original NIS Directive which entered into force in 2016 (with Member State implementation by 9 May 2018). Much like its predecessor, it establishes measures for a common level of cybersecurity for critical services and infrastructure across the EU. Recognising the ever-growing threat which cyber-crime poses for the economic and societal stability of the Union, NIS2 aims to harmonise cyber-resilience through the following obligations:

• Ensuring appropriate and proportionate cybersecurity risk management measures are in place following an “all-hazards” approach which is proportionate to risk, entity size, the likelihood of a security incident and the severity of economic/social impact were it to happen. Notably, and unlike its NIS1 predecessor, the cost of implementation can be taken into account when determining what measures are appropriate and proportionate.
• Supply chain diligence – as part of assessing its own cybersecurity measures, an in-scope organisation must now assess and assure the cybersecurity practices of its supply chain including how cybersecurity obligations are driven by contractual mechanisms.
• Three-stage reporting obligations upon the occurrence of a “significant incident”[1] – the first report required will be an early warning within 24 hours of first awareness. This should be followed by a second, more comprehensive notification within 72 hours, and a more detailed report within one month of the initial notification.
• Executive approval and oversight – management bodies of in-scope entities must both approve and oversee the implementation of its cybersecurity risk management measures. They will be personally liable to any fines which might result from a breach. NIS2 also gives supervisory authorities the power to suspend relevant management functions pending implementation of measures to address any breach. Management bodies are also required to undertake and follow training on cybersecurity measures, and offer similar training to their employees on a regular basis.
• Enhanced supervision and enforcement – these can be grouped into powers of audit and inspection, enforcement and temporary suspension of management obligations/ relevant security certifications. The award of fines will be in addition to other enforcement measures, and can reach a maximum €10 million/ 2% of total global annual turnover for Essential Entities, and €7 million/ 1% for Important Entities.

Who is in scope for NIS2? Unpacking the three-limbed criteria

The reach of NIS2 is significantly wider than its predecessor. No longer applying solely to “Operators of Essential Services” and “Digital Service Providers”, NIS2 has been expanded to include a greater number of named sectors including: managed service providers, social media, waste management, medical device manufacturers, postal services, food, space (as in rockets, not storage), chemical distribution and public administration services.

The main determining factor of whether an entity is in scope will be whether it falls within those sectors specifically called out in the Directive. But that may not be determinate, as a listed entity must also meet a size threshold and be providing services or carrying out activities in the EU for NIS2 to apply.

There are consequently three criteria determining whether or not an entity is in scope for NIS2:

1. Entity is a sector listed in Annexes I and II
2. Entity meets or exceeds the definition of Medium Sized Enterprise or is otherwise in scope regardless of size
3. Entity provides services or carries out activities in the EU

Does my organisation fall within a sector listed in Annex I or II?

NIS2 will only apply to those entities falling within Annexes I and II of the Directive. Annex I lists those entities characterised as “Sectors of High Criticality” while Annex II lists “Other Critical Sectors”. The distinction between Annexes has less impact than the further classification of in-scope entities into “Essential Entities” and “Important Entities”. It is this latter distinction which will then determine the level of supervision and enforcement which will apply to the relevant entity. For example, enforcement measures are applied ex post or “after the event” with respect to Important Entity breaches, while for Essential Entities, supervisory and enforcement measures are expected to be more proactive.

The general rule however is that Annex I sectors will tend to be “Essential Entities” and Annex II will be “Important Entities”. However, the correlation is not always true. For example, Member States have the power to characterise sectors in both Annexes I and II as either “Essential” or “Important” regardless of their size, and government public administration will always be regarded as “Essential”. What becomes clear, therefore, is the importance of Member States, not only in their implementation of the Directive, but also in determining which entities will be in-scope, and how they are classified.

The Annex I sectors can be broadly described as those providing services in: energy; transport; banking; financial market infrastructure; healthcare providers (including manufacture of basic pharmaceutical products and manufacturing medical devices considered critical during a health emergency); drinking water; waste water; digital infrastructure; IT service management (B2B); public administration; and space.

Annex II entities are those providing: postal courier services; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; and the manufacturing of medical devices, computer, electronic and optical products, electrical equipment, machinery, motor vehicles and other transport equipment (all as defined in section C of NACE).

Does my organisation meet or exceed the size threshold?

In order to be considered in scope for NIS2, an entity must meet or exceed the ceilings for medium-sized enterprises (“MSE”) as defined under Recommendation 2003/361/EC.

Article 2 of the Annex to that Recommendation defines “MSE” as enterprises “which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million” (emphasis added). In order to qualify as a MSE, a relevant organisation must therefore satisfy both the staff number criteria and the turnover criteria. There is  intentional flexibility built in around whether the turnover or the balance sheet is seen as the indicator of status, but that one such financial indicator should always be combined with the staff criterion.           

The Recommendation also takes into account an organisation’s relationship with certain “linked” or “partner” enterprises for the purposes of assessing the MSE status (see Article 3 of the Annex to the Recommendation and recital 9 in particular). Therefore, if a small organisation, which otherwise falls below the staff and turnover/ balance sheet criteria is nevertheless linked to another organisation by virtue of factors such as parent company or joint shareholder voting rights, or the exercise of dominant influence over a linked or partner enterprise, it may  qualify as a MSE for NIS2 purposes.

Does my organisation provide services or undertake activities in the EU?

Under the final limb of the scope criteria, NIS2 will apply only to those entities who provide services or undertake activities in the EU. This is a narrower test than GDPR, which can catch organisations by virtue of establishment alone, irrespective of whether the target activity – in that case processing of personal data – takes place in the Union or not.

The outcome of this narrower scope appears to mean that in a model where a global organisation has a parent company outside of Europe and subsidiaries within the EU, only the individual entity physically providing services or undertaking activities in the EU will be caught. However, cyber risk management requirements will apply to the entire supply chain as part of the broader obligations on in-scope entities. As a result, parent companies outside of the EU may still be caught.

It is also worth noting the rules on jurisdiction and territoriality contained in Article 26. These rules deal with establishment but only for the purposes of determining under which Member State jurisdiction an in-scope entity will fall. This could be important, especially since Member States may interpret and implement the Directive differently, and indeed are permitted to exceed its baseline standards when implementing NIS obligations into Member State law. Member States will also be key to determining which entities will be in scope for NIS2 within their jurisdictions and therefore who will be under the watchful eye of their regulators.

Is there a materiality criteria for the application of NIS2?

One final factor to consider is whether or not the services caught by NIS2 are sufficient to trigger application of the Directive when they constitute a minor part of an organisation’s overall offerings. For example, if 95% of an organisation’s services are not listed in Annex I or II of the Directive (or are otherwise not provided within Europe), but 5% of its services are of a nature that they are caught by Annex I or II (or provided within Europe), will that 5% be sufficient to bring the whole organisation into the scope of NIS2?

The simple answer is that there doesn’t appear to be a materiality criteria for the application of NIS2. The scope of the Directive is determined by the three factors stated above. While the size of the entity is therefore a factor, the proportion of its business activities, in so far as there are various, does not appear to be relevant. Rather this is something of an all or nothing question: If, as an entity, you distribute chemicals as listed in Annex II, you are an entity in scope for NIS2 (assuming the MSE and EU activities criteria are also passed).

The result is that this will invariably come down to a risk assessment, by an organisation, around the applicability of NIS2. If a mere 5% of its business is in scope, is that enough to attract the attention of a Member State regulator if NIS2 is not being complied with?

Here, it is important to remember that under Article 3(3), it is Member States who will ultimately have the final say over which organisations they will include on a Member State’s list of Essential and Important entities falling within their jurisdiction. This list must be provided to the EU Commission by 17 April 2025.

We do not yet know how each Member State will come to pull this list together, and guidance around Article 3 NIS2 published by the EU Commission on 13 September 2023[2] did little to clarify the matter. There is of course the very high possibility that Member States will interpret NIS2 differently, resulting in lists which look very different from one jurisdiction to another. The result is that to some extent, the decision of applicability may be outside of an organisation’s control, and it will be interesting to see whether any form of appeals process may be put in place where an organisation does not agree with a Member State’s determination.

Direct and indirect application

For entities that do not directly fall within the scope of NIS2, the application of NIS2 to an in-scope entity’s supply chains may  mean that an organisation finds itself indirectly impacted by the legislation in a way which is almost as significant as being directly in scope. This might be the case, for example, for organisations in the UK who do not provide services within the EU but are nevertheless in the supply chain or businesses who do. It could equally be the case for a small SME who has otherwise fallen outside of NIS2 by virtue of the size criterion mentioned above.

Under NIS2, in-scope entities must now assure the cyber-reliance of its supply chain when implementing its own cybersecurity risk management measures. The Directive does not provide a lot of detail on how this translates into practical assurance measures, although reference is made to the contractual mechanisms used to obtain legally enforceable guarantees of a supplier’s cybersecurity measures. Supply chain organisations might therefore expect to see enhanced contractual obligations relating to their security stance, but also increased rights of due diligence and audit in favour of the customer/ in-scope organisation.

Additionally, since supply chain organisations might also be key to facilitating the in-scope entity’s compliance with NIS2 reporting requirements, we are also expecting to see more exacting requirements making their way into contracts which require supply chain businesses to provide timely and detailed reporting, together with ongoing assistance, with respect to security incidents meeting the reporting threshold. While these obligations may not be novel in the age of GDPR security reporting, it should be remembered that NIS2 reporting will apply to cyber incidents more broadly, and not just those impacting on personal data.

Conclusion – Is an organisation in scope for NIS2? Member States may yet have the final word

The scope of NIS2 is far from straightforward, and for any organisations left pondering the application of NIS2 to their businesses, clarity is likely to come when Member States get involved.

Not only will Member States have until 17 October 2024 to transpose the Directive into their national law, but as discussed above, they are also required to produce a list of Essential and Important entities to whom they consider NIS2 applies. However, the deadline for doing so is 17 April 2025, some 6 months after the implementation deadline, which could mean further uncertainty for those organisations unclear on the application of NIS2 when it first becomes national law.

There is however likely to be a degree of consultation between in-scope organisations and Member States – Article 3(4) NIS2 for example recommends Member States operate a self-registration portal for those entities who believe they are in scope, and suggests that a degree of consultation between Member States and target entities will be likely. It isn’t however clear whether Member States will offer an appeals process for entities who do not agree with a Member State’s determination that they are in scope for NIS2. There is also every possibility that an organisation operating across multiple Member States could find themselves in scope of NIS2 in one Member State, and not in another.

All this means that for organisations on the fringes of NIS2, the question of its application remains unclear. In such circumstances, organisations should consider preparing as though NIS2 will apply –  in addition to the risks of fines and enforcement under NIS2, taking pre-emptive action by, for example, improving cyber security management, and the awareness of cyber risks at a senior management level is an opportunity for organisations to build customer trust, strengthen market position and minimise the risks of cyber-attacks occurring.

For advice on whether or not your organisation is likely to fall under NIS2, please contact your usual DLA Piper contact.

[1] Defined as an incident “causing or being capable of causing severe operational disruption of services or financial loss or has affected or is capable of affecting natural or legal persons by causing considerable material or non-material damage”.

[2] Commission Guidelines on the application of Article 3(4) of Directive (EU) 2022/25555, C(2023) 6070, 13 September 2023