In November 2022, the EU Council and Parliament adopted the NIS 2 Directive. This proposes and expansion of regulatory coverage that is far beyond the ambition of the UK government. In the four years of UK NIS implementation, in the Rail Industry at least, progress has been somewhat disappointing. I would like to discuss why this is so, and to review cyber compliance in the context of rail further, but first to explain what NIS 2 proposes for Europe.
NIS 2 expands the regulations from just “operators of essential service” to providers of essential and important services. Coverage will now include waste water, public administration, space as an essential service, and Managed Service Providers (MSPs) will be expected to comply. Smaller organisations will be judged on a sliding scale of requirements depending on their contribution to critical national infrastructure. There is a requirement for addressing physical security issues, reporting near-misses and adopting specific ICT products. NIS 2 also proposes NIS certification. Though there is limited detail on how certification will be managed this is an important distinction, worthy of discussion.