The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) aims to achieve a high common level of network and information systems security across the European Union. IT Governance has prepared a free compliance guide based on the UK Government’s consultation process.
NIS Directive Objectives
- To improve national cyber security capabilities.
- To increase cooperation between EU member states.
- For operators of essential services (OESs) and digital service providers (DSPs) to take “appropriate and proportionate” security measures, and notify the relevant national authorities of serious incidents.
When does the NIS Directive come into effect?
The Directive will be transposed into national law across the EU on 9 May 2018.
Who does the NIS Directive apply to?
Operators of Essential Services in the following sectors:
- Digital infrastructure
In line with Recital 9 of the Directive, OESs in the banking and financial market infrastructures sectors are not in the Directive’s scope, as they are already covered by equivalent provisions set by the Bank of England and the Financial Conduct Authority.
Digital Service Providers can be defined as the following:
- Search engines
- Online market places
- Cloud computing services
The Directive states that DSPs with fewer than 50 employees and an annual turnover and/or annual balance sheet of less than €10 million will be exempt from compliance.
- OESs that function and work inside in the EU.
- DSPs that offer services to those within the EU.
Compliance Requirements for OESs:
OESs need to comply with a set of 14 security requirements based on the following four objectives as defined by the National Cyber Security Centre (NCSC):
Objective A: Managing security risk
A2. Risk management
A3. Asset management
A4. Supply chain
Objective B: Defending systems against cyber attack
B1. Service protection policies and processes
B2. Identity and access control
B3. Data security
B4. System security
B5. Resilient networks and systems
B6. Staff awareness and training
Objective C: Detecting cyber security events
C1. Security monitoring
C2. Anomaly detection
Objective D: Minimising the impact of cyber security incidents
D1. Response and recovery planning
Cyber Assessment Framework (CAF)
A Cyber Assessment Framework is being developed and is due to be published by Spring. The CAF will provide guidance for auditing and assessing acceptable levels of cyber security of OESs by competent authorities.
Incident reporting for OESs
OESs must report any incidents that occur to their competent authority or the CSIRT within 72 hours.
Compliance Requirements for DSPs
A Commission Implementing Regulation has been developed by the European Commission outlining the security measures and incident reporting thresholds for DSPs.
DSPs are free to take ‘technical and organisational measures appropriate and proportionate to manage the risk posed’ as long as it reflects the broad requirements of the Directive.
The Implementing Regulation also defines the specific metrics for “substantial impact”, which determine the DSP’s duties in relation to notifying the competent authority. Another blog on the compliance requirements will be released soon.
Penalty regime for non-compliance
The NIS Directive’s penalty regime is intended to motivate enhancements in cyber resilience while being proportionate to potential risks.
- A penalty fine of up to £17 million has been levied in the UK.
- Competent authorities will define the fines by sector.
The role of competent authorities
Competent authorities will be appointed in each member state. In the UK, multiple competent authorities have been proposed.
Competent authorities are expected to:
- Designate OESs;
- Request information related to the NIS Directive;
- Direct OESs or DSPs to undertake an action in relation to the NIS Directive;
- Audit, or require an audit of, OESs
- Monitor the application of the NIS regulations;
- Prepare and publish guidance;
- Notify the public about an incident;
- Investigate the causes of an incident;
- Enforce an instruction on OESs or DSPs; and
- Apply penalties on OESs or DSPs.
What can you expect to happen next?
The consultation document states: “The approach of both the Government and Competent Authorities in implementing the requirements of the Directive will be realistic and will take into account the circumstances of each sector as appropriate. Competent Authorities will be expected to engage with their sectors and keep them informed about the approach they intend to take”.
“Competent Authorities will take a reasonable and proportionate approach to enforcement and it is the Government’s expectation that the process of improving the security of Network and Information Systems of the UK’s essential services will take a number of years. However, the Government wants to make clear that even in this first year, Competent Authorities will have the power to issue penalties where significant compliance issues have been discovered and it is evident that organisations are not making active efforts to remedy them.”
How to get started – implement a cyber resilience programme
IT Governance offers a total cyber resilience solution to help you meet your NIS Directive compliance obligations and ensure continued compliance.