NIS2 is the acronym on everyone's lips. The EU's second Network and Information Systems Directive (NIS2) and the Digital Operational Resilience Act (DORA) - effective October 2024 and January 2025, respectively - have ambitious scope and application addressing the growing threat of cyber attacks.

The UK experiences near-daily attempts from hostile cyber actors to targe key sectors and supply chains, including recent attacks on critical public services.

Earlier this year, the Monarch announced that the long anticipated Cybersecurity and Resilience Bill (CS&R Bill) would be amongst new laws heading to Parliament next year. The bill is expected to recognise the need to upgrade the UK's response to growing cyber threats, increasing the number of organisations falling within its scope, enhancing reporting obligations and strengthening regulatory oversight.

Although the bill has not yet been introduced, initial indications released by Government provide signals to identify what this means for businesses: and, in particular how the UK will seek to transpose NIS2 to supplement its implementation of the NIS Directive (NIS1) through secondary legislation in 2018.

Perhaps the most critical change that could be introduced by the CS&R Bill is the expansion of regulated sectors. Currently, NIS1 applies to five sectors: energy, transport, health, drinking water supply and distribution and digital infrastructure. In contrast, NIS2’s expanded scope includes 18 sectors such as waste water management, postal services, chemicals, manufacturing and food production. It is also suggested that sectors involving critical digital infrastructure and B2B ICT services may be prioritised in the new CS&R Bill. Financial services are expected to be covered elsewhere, principally under DORA.

The NIS2 incident reporting framework is another area with which the UK’s CS&R Bill is expected to align. NIS2 imposes stricter reporting timelines, requiring entities to issue an early warning report within 24 hours of detecting a "significant" cybersecurity incident, with a first follow-up report required within 72 hours, followed by a detailed incident analysis within a month.

The CS&R Bill is set to bring in enhanced powers for regulators, potentially mirroring NIS2’s enhanced supervisory framework. A notable component of NIS2 is its move toward a more proactive regime, granting regulators the authority to conduct ad hoc audits, and inspections (albeit only for those entities classified as "essential") to ensure compliance with cybersecurity measures.

The King’s Speech also hinted at cost-recovery mechanisms, ensuring regulators have the necessary resources to enforce compliance implying that larger fines for non-compliance are coming, similar to the substantial penalties in NIS2.

While the CS&R Bill is unlikely to directly adopt NIS2, it marks a significant evolution from the current NIS Regulations and will likely share many core principles; expanding the range of regulated sectors, shorten incident reporting timelines, strengthen regulatory oversight, and imposing stricter cybersecurity standards. The King's Speech emphasises the UK does not want to be left more vulnerable to cyber threats once NIS2 has been implemented across the channel.

Given the developing regulatory landscape, it is essential for relevant businesses to monitor these changes, and audit existing operations and resiliency.

James McGachie, Data Privacy Litigation Partner at DLA Piper

Agenda is a column for outside contributors. Contact: agenda@theherald.co.uk