Is your organisation ready for NIS2 compliance?

With the long-awaited NIS2 (Networks & Information Systems) Directive now in force throughout the European Union, the clock is ticking for affected organisations to ensure compliance with the updated regulations ahead of the European Commission’s 17^th October deadline. First introduced in 2016, the NIS Directive establishes a framework to assess an organisation’s cybersecurity and digital maturity. In response to rapidly evolving threat landscapes and the increase in digitisation across industries, the NIS2 update has expanded the scope of the original rules with the aim of improving the resilience and incident response capabilities of organisations under its purview.

For UK organisations, determining the impact of the NIS2 update is not straightforward, as the UK no longer aligns with EU regulations. The UK’s existing NIS regulations were directly derived from those of the EU, but this time the government has announced that it will not be adopting the NIS2 Directive wholesale. Instead, its intention is to introduce a number of its own changes to the existing rules, in order to update and expand its cybersecurity regulations along similar lines to those of NIS2. To complicate things further, UK organisations conducting business within the EU will need to comply with both the new NIS2 Directive, as well as any UK-specific changes.

As a result, it’s crucial for organisations to understand which regulations apply to them – whether it’s NIS2, the UK’s own NIS regulations, or both. Although the NIS2 regulations are already in effect, the EU has set an October deadline to provide affected organisations with time to implement the necessary changes. Meanwhile, the UK has yet to enshrine its updates in law, with the new legislation unlikely to be presented to parliament until 2025. This timeline means that organisations cannot wait until the UK’s own update is finalised to make the required changes in one go. While the proposed changes can be found on the gov.uk website, an uncertain year ahead  – including a national election – means that the final regulations may not match the information currently available.

Organisations aiming for NIS2 compliance have some good news, in that they are likely to be some way along their journey already, through existing adherence to international standards. ISO 27001, in particular, covers about 70% of the requirements for NIS2, and is the globally recognised standard for information security, cybersecurity, and privacy protection. The European Union Agency for Cybersecurity (ENISA) provides an online tool to help organisations map the new NIS2 regulations against standards that they are already following, in order to more easily identify the areas that need further attention.

With the October deadline fast approaching, and regardless of whether your organisation already complies with standards such as ISO 27001, conducting a comprehensive assessment of your cybersecurity practices is essential. Such an assessment will clarify where you stand with regard to the new rules, allowing you to create a detailed roadmap with achievable milestones, in order to guide your organisation to full compliance in time for the deadline.

For organisations whose IT teams are already at full capacity maintaining day-to-day operations, external assistance can be invaluable in developing such an assessment and roadmap. Our team of experts has extensive experience in mapping out existing estates and assessing an organisation’s digital maturity and cybersecurity threat surface. To find out more about how we can assist you in achieving NIS2 compliance, or to conduct a security audit ahead of the UK’s forthcoming regulations, get in touch at security@itgl.com.