Is divergence worth it?
The UK Government might argue that its more flexible, risk-based approach (leaving much of the detail to secondary legislation and regulator guidance) can achieve the same results but at a lower cost to business. However, any organisations that are "essential" or "important" entities with customers across the UK and the EU will need to comply with NIS2 in any event. As such, the space for the UK to gain competitive advantage from a divergent approach may be somewhat limited – and if the UK diverges significantly from the EU's approach, those same businesses will face extra costs from having to comply with two substantially different sets of rules. Given the UK Government's aim to "minimise regulatory burdens", it is to be hoped that it will be cognizant of this risk.
A more positive way of viewing the UK's approach is that if it can prove that its regulatory regime is superior to that of the EU (i.e. it achieves broadly the same objectives but at lower cost to business), the latter might be persuaded to adopt it in future – in which case a degree of ongoing regulatory "competition" with the EU could, in the long run, prove to be a good thing for both sides. However, for this strategy to be effective, the UK really needs to be "getting out in front" of the EU when it comes to regulation and leading by example. In this case (as in a fair number of other areas), it is the EU which is in the lead in terms of updating its cybersecurity regime, with the UK somewhat belatedly following suit – having largely missed the opportunity to influence NIS2 in what it would see as a more positive direction.
Of course, there's unlikely to be a uniform approach across the EU either. While NIS2 seeks to achieve a higher level of harmonisation than the current rules, it does not preclude Member States from adopting provisions ensuring a higher level of cybersecurity, provided that such provisions are consistent with their obligations under EU law, so in the EU too there is likely still to be some divergence between Member States.
What about other, related sectors such as financial services?
There is also a need for coordination with regulation outside the scope of the NIS regime, particularly in the financial services sector. In the UK, the Government will need to work closely with the Financial Conduct Authority and Bank of England, and their proposals relating to critical third parties in the financial sector aimed at managing the risks associated with supplier failure and concentration risk. The EU has sought to align NIS2 with the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to ensure coherence between NIS2 and those acts.