Navigating Regulation Discrepancies: EU’s NIS 2 v UK's Cyber Security and Resilience Bill

In July 2024, the newly elected UK government introduced the Cyber Security and Resilience Bill, a much-anticipated new cybersecurity law aimed at bolstering the nation's digital defences.

This new bill, announced in the King’s Speech on July 17, will build upon the foundations laid by the EU’s Network and Information Systems (NIS) directive.

It is commonly seen as the UK’s response to the NIS 2 directive, which is expected to be transposed into national laws across all 27 EU member states by October 17, 2024.

While sharing a common goal of protecting critical infrastructure and supply chains, the two legislative frameworks could also present distinct differences.

Infosecurity breaks down some of the similarities and differences between the Cyber Security and Resilience Bill and NIS 2 as both legislative frameworks stand. 

The primary objective of both pieces of legislation is to expand the scope of covered organisations.

With NIS 2, the number of verticals covered by the directive will be expanded from seven to 17, with over 160,00 businesses estimated to fall under the new text.

These 160,000+ businesses in 17 sectors will be divided into the two following tiers:

    1. Essential entities, comprising the seven verticals covered by NIS 1, including an extended understanding of the energy sector, as well as three additional sectors (public administration, wastewater, space).

    2. Important entities, including post services, food manufacturing and distribution, social media and chemical production.

In the UK, the current cyber regulations cover five sectors (transport, energy, drinking water, health and digital infrastructure) and some digital services, including online marketplaces, online search engines, and cloud computing services.

The UK government said in background notes that one of the new bill’s three pillars will be to “expand the remit of the regulation to protect more digital services and supply chains.”

In both cases, incident reporting requirements will be stricter than with the initial NIS directive.

NIS 1, currently enforced in the EU and the UK, requires covered organisations to report a cyber incident within 72 hours.

In the EU, this will still apply to important entities.

However, organisations that fall under the ‘essential entity’ category must report a cyber incident within 24 hours.

Similarly, the UK government’s background notes for the Cyber Security and Resilience Bill mention “mandating increased incident reporting to give the government better data on cyber-attacks” as another of the bill’s three pillars.

It also specified that these stricter requirements would apply to ransomware attacks.

Both legislations plan to impose higher fines than NIS 1, which established four levels of fines for non-compliance, from up to £1m (€1.2m) for any contravention that could not cause an NIS incident to up to £17m (€20m) for the most serious cases.

In the case of non-compliance with NIS 2, European organisations categorised as “essential entities” will pay fines of either 2% of their worldwide annual turnover recorded during the preceding financial year or €10m (£8.6m), whichever is higher.

For important entities, non-compliance fines amount to the highest, between 1.4% of annual turnover or €7m (£6m).

The UK’s Cyber Security and Resilience Bill is also expected to introduce higher fines and penalties for organisations that fail to comply with the mandated cybersecurity standards, although the amount has not been shared at the time of writing.

NIS 2 emphasises that organisations should proactively manage risks introduced by third parties. This includes all suppliers and service providers and should be considered from a multidisciplinary risk perspective.

The directive also provides a list of security measures covered organisations must implement to mitigate supply chain security risks.

The background notes for the UK’s Cyber Security and Resilience Bill also cite supply chain security as a focus.

Although little is known about the extent of the UK bill’s requirements regarding supply chain risks, it should expand the remit of regulators to cover supply chains and address the growing prevalence of supply-side attacks, where malicious actors enter networks via third-party suppliers.

While both legislations plan to expand the scope of covered organisations, subtle differences in the specific sectors or types of organisations included might exist.

These will most likely be determined by the type of threats that both markets have been facing as well as by what their crown jewels are.

For instance, the UK has historically imposed stricter regulations on the financial sector, which represents a significant part of the British economy.

In the EU, another cybersecurity legislation, the Digital Operational Resilience Act (DORA), is fully dedicated to the financial sector. It will prevail over NIS 2.

In the EU, member states are responsible for implementing and enforcing the NIS 2 directive with their own specificities and their own calendar.

This means that each translated national law originating from NIS 2 may show some differences, even within the EU.

In the UK, however, the bill will be enforced as soon as it is voted on, adopted, and published as law.

The UK government has also expressed a desire to strengthen regulators' power to ensure the implementation of essential cyber safety measures.

“This would include potential cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities,” the UK government’s background notes explain.

The UK government could even establish a dedicated regulatory authority with enforcement powers and penalties tailored to UK requirements.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?