NIS Directive – what does this mean for Scottish organisations?

Earlier this year, the EU introduced a law that requires critical infrastructure organisations to improve their ability to ensure that crucial network and information systems remain functional in the event of disruption, and that their essential service remains available in all reasonable circumstances. 

That law – the NIS Directive (Directive on security of network and information systems) – was transposed into UK law as the NIS Regulations (The Network and Information Systems Regulations 2018), and entered into force on 10 May 2018. This blog explains how Scottish organisations can prepare for, and comply with, its requirements.  

Who must comply with the NIS Regulations? 

The Regulations apply to two sets of organisations: 

  • OES (operators of essential services), specifically the energy, transport, water, health and digital infrastructure sectors; and 
  • DSPs (digital service providers), encompassing online search engines, online marketplaces and Cloud computing services. 

The Regulations exempt DSPs that employ fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million (about £8.8 million). 

It’s worth noting that the NIS Regulations came into effect before the UK leaves the EU, and the UK government has confirmed that the Regulations will continue to apply irrespective of Brexit. 

The NIS Regulations’ requirements 

Organisations must: 

  • Put “appropriate and proportionate technical and organisational measures” in place to “manage risks” and “prevent and minimise the impact of incidents”; and 
  • Notify the relevant competent authority of any incident of significant impact. 

You can learn more about the requirements of the NIS Regulations by reading our compliance guide. 

Competent authorities 

In the UK, compliance with the NIS Regulations will be overseen by different competent authorities in each sector. In some cases, countries within the UK will have their own authority. 

Here are Scotland’s competent authorities: 

  • Drinking water supply and distribution: The Drinking Water Quality Regulator. 
  • Energy: The Secretary of State for Business, Energy and Industrial Strategy for all operations involving natural gas refining and treatment facilities, storage system operators and liquified natural gas system operators. In other cases, the Gas and Electricity Markets Authority must also be contacted. 
  • Digital infrastructure: Ofcom. 
  • Health sector: Scottish Ministers. 
  • Digital service providers: The Information Commissioner’s Office. 

The transport sector is a little more complex, with different regulators for relevant subsectors: 

  • Air: The Secretary of State for Transport, and the Civil Aviation Authority 
  • Maritime: The Secretary of State for Transport 
  • Roads: Scottish Ministers 
  • Rail: The Secretary of State for Transport 

Preparing for the NIS Regulations 

Scotland has an advantage when it comes to complying with the NIS Regulations, as it already has high levels of cyber security and cyber resilience. This is, in part, thanks to work by the Scottish government and the introduction of the Scottish Public Sector Cyber Resilience Framework. 

The framework applies to all public sector bodies in Scotland, and requires them to develop cyber resilience and become “exemplars” in online security. Organisations are also expected to certify to the Cyber Essentials scheme by 31 October 2018. The UK and Scottish governments allocated £3.5 million to support this effort via the UK National Cyber Security Programme. 

Any organisation that has met these requirements will already be close to achieving full compliance with the NIS Regulations. You can find out what else you need to do by reading our compliance guide or enrolling on a training course, where you can learn about the principles of information security, cyber resilience and business continuity. 

Learn more with our webinar 

You might also be interested in our upcoming webinar: Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotland 

This presentation takes place on Wednesday, 21 November 2018, at 1:30 pm (GMT). If you can’t make the presentation, it will be available to download from our website, where you can also browse our previous webinars.