Until recently, many organisations have been focused on achieving compliance with the EU’s GDPR (General Data Protection Regulation). However, there is a related UK law that took effect on 10 May 2018, the NIS Regulations (Network and Information Systems Regulations 2018).
The NIS Regulations are derived from the EU’s NIS Directive (Directive on security of network and information systems).
- Cloud computing services;
- Online search engines; and
- Online marketplaces.
The Implementation Regulation
There are differences in the ways that OES and DSPs need to prepare to comply with the Regulations. DSPs tend to operate across borders, which is partly why the European Commission introduced its Implementation Regulation – to ensure a uniform approach across the EU.
The Implementation Regulation also took effect on 10 May 2018 and applies directly to each member state. The UK’s NIS Regulations reinforce the Implementation Regulation, and the ICO (Information Commissioner’s Office), as competent authority for DSPs in the UK, will oversee compliance.
ENISA (European Union Agency for Network and Information Security) has also published technical guidelines for DSPs to provide further guidance on how to comply.
DSPs must be particularly organised, as they are expected to define their own information security measures “appropriate and proportionate” to the risks they may face. These measures must address:
- The systematic management of network and information systems, which will require organisations to map their information systems and set up appropriate policies, covering risk analysis, human resources, security of operations, security architecture, system lifecycle management and, where applicable, encryption.
- Physical and environmental security, protecting against environmental damage and accidental or malicious actors.
- Security policies to ensure that service functionality supplies are accessible.
- Access control measures to ensure that physical and logical access is “authorised and restricted based on business and security requirements”.
- Detection processes and procedures, which should be regularly monitored to ensure that they are up to date and effective.
- Processes and policies for reporting vulnerabilities and security incidents.
- Procedures for documenting the response to cyber security incidents.
- Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.
- Contingency plans based on a business impact analysis, ensuring the continuity of services.
- Disaster recovery plans appropriate to the potential risks.
Monitoring, auditing and testing
- Planned monitoring to assess whether information systems are working as they should.
- Auditing and measurements to monitor whether the organisation is complying with relevant standards or guidelines.
- Processes aimed at revealing flaws in security systems, covering both technology and the people involved in the security system.
Incident reporting and penalties
All incidents must be reported to the ICO within 72 hours of becoming aware of them. The incident reporting thresholds are outlined in the Implementation Regulation.
DSPs face a ‘lighter touch’ approach than OES, and won’t be subject to regular audits from the ICO. However, they are expected to register with the ICO by 1 November 2018, and could be subject to a fine of up to £17 million if they are found to be non-compliant. Naturally, an incident is the most obvious indicator of potential non-compliance.
Get started with your NIS Regulations compliance project
It is now UK law to comply with the NIS Regulations – organisations should already have begun their compliance project. To start assessing your organisation’s current cyber security arrangements against the Regulations’ requirements, book an NIS Regulations Gap Analysis with IT Governance.
Accelerate your NIS Regulations compliance project with the new NIS Regulations Documentation Toolkit, designed specifically for OES and DSPs.