If you operate in the EU or UK or have clients in the region (e.g. headquartered in the US but have a regional office in an EU country or the UK working with local customers) you're probably familiar with the Network and Information Security (NIS) Directive. Recently, the EU introduced...
Feb 14, 2024
If you operate in the EU or UK or have clients in the region (e.g. headquartered in the US but have a regional office in an EU country or the UK working with local customers) you’re probably familiar with the Network and Information Security (NIS) Directive. Recently, the EU introduced NIS2, while the UK plans to update a similar legislation.
The new regulations will expand the scope to include MSPs, addressing their critical roles in ensuring organizations’ business continuity and the growing risks of supply chain attacks. Meanwhile, additional sectors added to the NIS2 mean more companies will turn to MSPs to help them achieve NIS2 compliance in the coming months.
What do MSPs need to know about the NIS2 Directive? How will it affect MSPs operating in the EU and UK? How can you achieve compliance for your company and leverage the business opportunities to drive revenue within such a tight timeline?
What is the NIS2 Directive?
The NIS2 Directive is an EU law aiming to achieve high cybersecurity standards across member states to strengthen Europe’s resilience against current and future cyber threats. It covers four overarching areas: risk management, corporate accountability, reporting obligations and business continuity.
The NIS2 Directive went into effect in January 2023 as the second version of the EU’s first cybersecurity directive, the NIS Directive. It includes additional sectors, implementation guidelines, and stricter non-compliance penalties. EU Member States must transpose the NIS2 requirements into national laws by 17 October 2024.
NIS2 vs NIS: What’s new?
The NIS2 Directive has three main goals:
Improve cyber resilience in Operators of Essential Services (OES) across the EU.
Increase consistency in resilience levels in sectors already covered by the NIS.
Augment information sharing and incident response capabilities.
Besides protecting critical national infrastructure, the legislation aims to lessen a cyber incident’s economic impact on a country’s economy. It generally applies to mid or large-sized companies with 50 or more employees or an annual turnover of €10 million and some public organizations.
The most significant updates to the NIS2 scope include new sectors like telecoms, energy, transport, banking, digital infrastructure, wastewater and the food industry. It’s also expanded to cover MSPs operating in the region.
The Directive imposes higher fines (up to 2% of annual turnover or €10m/£8.6m, whichever is higher) and introduces 31 minimum security measures. These include regular risk assessments, information security policies, incident management, intrusion detection, robust encryption technology, multi-factor authentication and crisis management capabilities to ensure business continuity.
Organizations are responsible for managing cybersecurity risk in their supply chains and supervising their vendors’ security postures. Also, they must report incidents with potentially severe impact within 24 hours of discovery, provide a full notification report after 72 hours, and submit a final report in one month.
Additionally, companies must regularly test and audit their security measures and provide ongoing training on information security best practices and changes in the risk landscape to all employees. The Directive also holds senior management responsible for their organizations’ security functions.
How does the NIS2 Directive Affect MSPs in the UK?
The UK enforced NIS Regulations in May 2018 following the EU’s 2016 NIS Directive and passed non-binding regulations around the NIS2 Directive in 2023. However, the UK’s regulations diverge from the NIS2 Directive in several areas.
Like the NIS2 Directive, the UK legislation expands the type of in-scope digital service providers to MSPs. It’s more prescriptive about organization size and exempts data centers, software developers, and small businesses. However, the regulator can designate specific small digital service providers to be in scope if they’re considered essential to the UK’s critical services or national security.
The UK legislation also requires essential and digital services to provide cyber-incident reporting to national regulators such as the Office of Communications (Ofcom), the Office of Gas and Electricity Markets (Ofgem) and the Information Commissioner’s Office (ICO). It covers a broader range of incidents with a high risk of impacting services, even if they don’t cause immediate disruption.
How to navigate NIS2 compliance in the EU and UK
With the inclusion of MSPs in the NIS2 scope and the growing prevalence of supply chain attacks, MSPs operating in the EU and UK must implement the appropriate cyber security measures and a comprehensive security stack to protect their networks. These include 24/7 monitoring, vulnerability management, a robust incident response plan, and NIS2-compliant reporting procedures.
Meanwhile, more organizations will look to MSPs to help them achieve NIS2 compliance. As such, you must also dedicate resources to capture these business opportunities.
Although there are similarities between NIS2 and its UK counterpart, the differences will require divergence in the security and compliance measures. Companies must carefully assess their cybersecurity compliance obligations if they operate in the EU and the UK — likely performing compliance exercises twice instead of once due to the different timing.
The complexity means more organizations will rely on MSPs to help them achieve NIS2 compliance — especially in the small and medium enterprise (SME) sector, where companies are most affected by new regulations and don’t have in-house resources for compliance management.
So, what services should you incorporate into your cybersecurity offerings? Here are the top categories:
24/7/365 SOC monitoring and logging
Vulnerability management and risk assessment
Weekly scans and threat reporting
Information system security audit and risk analysis
Intrusion detection and incident response
Authentication, identification, and access control
Physical and environmental security
Backup and disaster recovery management
Kill two birds with one stone: Achieve compliance and grow your business
The aggressive NIS2 directive timeline means time is of the essence for MSPs who must achieve NIS2 compliance and provide the necessary security services to capture business opportunities, increase revenue from existing accounts, and attract new clients with relevant services.
enhanced.io’s turnkey SOC as a Service solution gives you access to security tools and SOC functions to help your clients achieve and maintain NIS2 compliance. Meanwhile, you can leverage our dedicated security package for MSPs and MSSPs to add the necessary monitoring, assessment, incident response and reporting capabilities to protect your business from supply chain attacks.
You may also be interested in…