Jack Porter, Public Sector Specialist, at the cyber firm Logpoint, says that Critical National Infrastructure (CNI) is set for regulatory upheaval.
CNI covers a range of infrastructure that is essential for keeping society functioning and is typically seen as comprising the utilities ie energy, water, transport, health services and communications. However, there are a number of other sectors that are just as vital to national independence such as food, postal services, waste management and chemicals.
Bolstering the security of these organisations is seen as paramount but they are not covered under the existing Network and Information Security (NIS) Directive, which only applies to operators of essential services (OES) and relevant digital service providers (DSPs). What’s more, the NIS has been interpreted and applied differently by member states, leading to fragmentation that makes it challenging for organisations operating in more than one state to harmonise their security and response. And NIS enforcement has been lax, resulting in variable levels of compliance. It’s for these reasons that we’re seeing the introduction of NIS 2 from October 17.
NIS 2 in a nutshell
Under the directive, traditional CNI will be classified as ‘essential’ organisations while the second tier of organisations previously excluded are deemed ‘important’ organisations. It will also see those that supply IT services also brought in scope. But it’s not just applicable across the European Union. Any businesses outside the EU that is active in/does business inside the EU will also need to comply with these far more stringent regulations.
NIS 2 will compel organisations to improve their resilience and incident response capabilities, levelling up the security baseline as a whole and improving cooperation among member states and their exchange of information. Resilience will be boosted through the implementation of measures to minimise and manage risk such as network security, access controls and encryption. These measures must be approved and overseen by the management bodies of the organisations in scope and they’ll now be held accountable for any failure to meet the requirements which could see them suspended or prevented from holding such office again.
In the event of a ‘significant incident’ i.e. one that could impact service continuity, an ‘early warning’ must be declared to the designated authority (usually a Computer Security Incident Response Team or CSIRT) within 24 hours followed by filing an incident notification within 72 hours and a final report no more than one month after the initial incident. Should the organisation fail to comply and meet these obligations, it faces a potentially hefty fine. In the case of ‘essential’ i.e. CNI organisations this could be as high as 10m euros or 2pc of total global annual turnover, whichever is higher, while ‘important’ organisations could face fines of up to 7m euros or 1.4pc.
Many CNI providers have multiple entities over numerous territories and so will be aware they need to meet the NIS 2 compliance regulations. But what of those that operate solely in the UK? These may assume they can ignore the directive and continue to observe NIS which has been enshrined in UK law following the countries exit from the EU (aka Brexit). But to do so could well be shortsighted.
UK NIS and NIS 2
In the UK, NIS has been revised since it was brought in in May 2018. It was reviewed in 2020, the same year as the EU announced it would repeal and revise the directive, and again in 2022. In November 2022 the UK government announced its intentions to update the regulations to improve the country’s cyber resilience and two months later the EU passed NIS 2. It’s therefore fair to say that both have evolved in parallel.
The UK announcement revealed plans to extend the NIS to cover health providers i.e. the NHS and expand DSPs to include Managed Service Providers (MSPs), cloud computing and search engine providers. A two-tier system is proposed for DSP governance which will see the most critical providers become subject to proactive supervision by the ICO while the rest/vast majority will continue to be subject to reactive supervision i.e. with guidance and disciplinary measures offered post-incident.
Apart from this supervisory regime change, there will be little or no change to cybersecurity risk management obligations, however, in contrast to the far more prescriptive risk and incident management controls and senior management training requirements laid out in NIS2. This could prove to be a missed opportunity for levelling up across CNI and its suppliers as well as the digital ecosystem.
Under the proposals, ‘essential’ and ‘digital’ service providers will also see reporting obligations changed. Up until now, only those that caused disruption to business continuity were reported but the proposal would see incidents that did not result in disruption reported to the relevant authority (Ofgem, Ofcom or the ICO). This is similar to NIS2 which classes ‘significant’ incidents as those where an attack was mitigated or an issue resolved but which could have resulted in disruption. Both changes are due in part to the small number of incidents that are being reported under NIS, preventing the authorities from seeing the bigger picture of ‘near misses’. However, the UK revision contains no mention of a timed disclosure i.e. a 24 or 72 hour window.
The government also intends to give itself the power to amend the NIS regulations in the future to ensure they remain effective without the need to pass an Act of Parliament. Providing the changes are deemed necessary and in keeping with NIS, it will be able to amend the scope, regulation of and enforcement of the directive, including any amendment to penalties. It alludes to adding organisations that OES depend upon, alluding to their respective supply chains, as well as new sectors that become critical to the economy. This all sounds very similar to the entities brought under scope by NIS 2 although the government has stopped short of categorising these entities. Some reports suggest NIS could be expanded to cover EVs, those offering aggregation for energy suppliers, manufacturing, construction, education, waste and heat pumps, for example.
When will changes to UK NIS happen?
The expectation was for these changes to come into effect this year on the back of a ‘suitable legislative vehicle’ so why haven’t we seen this happen? Firstly, there’s the obvious issue of the impending General Election which effectively suspends any legislation. But it’s also likely that the government wants to learn from any teething troubles the EU experiences in implementing the directive.
The scope of NIS 2 is highly ambitious, covering nine additional sectors with between 120,000-150,000 entities now thought to be under its remit so the UK will want to see if all of those ‘important’ organisations should be included. It will also need to appoint regulatory bodies for them to report to and there are, of course, cost implications to this. Another provision made back in 2022 was for regulators to be able to establish a cost recovery system for NIS enforcement, allowing them to recoup costs from regulated organisations so that this does not fall to the taxpayer. This might be in the form of an invoice or through a regular fee. Such provisions will make it easier to expand the regulatory fold.
It is reasonable to assume that the changes proposed for NIS in the UK will come into effect in 2025. This has real implications initially for OES and DSPs (and of course now MSPs) all of whom currently comply by virtue of the NCSC’s Cybersecurity Assessment Framework (CAF). While the NCSC does not play a regulatory role in NIS, it does work with regulators and its CAF collection facilitates compliance, comprising a set of cyber security and resilience principles, supporting guidance and the CAF itself which provides indicators of good practice. The CAF is widely used, with different regulators able to advise how it is used in specific sectors.
How the CAF can help
The CAF is also used by non-OES. It addresses cyber security requirements for organisations within the UK CNI sector, those subject to NIS and those managing cyber-related risks to public safety, such as Control of Major Accident Hazards (COMAH), for example, and so needs to be wide ranging. Indeed, the NCSC states that the terminology is deliberated intended to generalise and extend that used in NIS because the CAF collection extends beyond those organisations designated as OES in NIS.
The fact that the CAF is based on set of guiding principles rather than prescriptive rules and is widely applicable makes it an ideal starting place for those entities that supply OES or for those working in the other sectors that the government believes may become critical to the economy. So, if you are unsure of what lies ahead and want to take NIS into consideration when implementing new security controls, take a look at the framework.
If we look at Objective C, for example, this details how the organisation can detect cyber security events through effective security monitoring and proactive security event discovery. The detailed guidance then covers monitoring of known threats, discovery of unknown threats by looking for indicators of compromise, and the role of threat intelligence in determining these. With respect to proactive monitoring, it delves into the need for designing alerts, understanding normal behaviour and anomaly detection.
Thus, the CAF provides an approach to assessing the extent to which cyber risks are being managed through self-assessment or by an independent external entity such as a regulator. The CAF guidance and principles provide the foundations and are written as outcomes, rather than a specific checklist and these top-level principles are augmented with additional detail, including a collection of Indicators of Good Practice (IGPs). Indicators in the IGP tables will usually provide good starting points for assessments but should be used flexibly and in conjunction with the NCSC guidance associated. They are not a checklist, exhaustive list, or applicable to everyone.
Future considerations
Admittedly, the CAF too will inevitably change as revisions are made to NIS. The NCSC is expected to play a key role in overseeing any changes such as issuing guidance on reporting thresholds, for example, with respect to significant incidents that were prevented from or did not achieve a high impact as well as what those incident reports should contain. Yet while the CAF will align with UK NIS, there’s still the issue of how NIS will align with NIS 2.
The revisions to NIS are nowhere near as far reaching and that could be to our detriment. Organisations that need to comply with both could find it onerous to do so and the UK could well miss out on one of the key aims of NIS 2: to enable intelligence to be shared more readily within key sectors and across member states to identify and stymy attacks. What’s more, if we look at the general direction of travel with incident reporting regulations, it’s clear that timely disclosure and accountability is becoming key to improving resilience, as witnessed by the recent revisions to the SEC disclosure reporting requirements.
Our expectation is that overtime NIS and NIS 2 will gradually align more closely but for now those who supply OES or DSPs or who think they may well come in scope should be using the CAF. This will help to guide them when reviewing and investing in security processes and controls, effectively futureproofing their operations.
