The NIS Directive – Free updated compliance guide

The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) aims to achieve a high common level of network and information systems security across the European Union. IT Governance has prepared a free compliance guide based on the UK Government’s consultation process.

NIS Directive Objectives

  • To improve national cyber security capabilities.
  • To increase cooperation between EU member states.
  • For operators of essential services (OESs) and digital service providers (DSPs) to take “appropriate and proportionate” security measures, and notify the relevant national authorities of serious incidents.

When does the NIS Directive come into effect?

The Directive will be transposed into national law across the EU on 9 May 2018.

Who does the NIS Directive apply to?

Operators of Essential Services in the following sectors:

  • Energy
  • Transport
  • Health
  • Water
  • Digital infrastructure

In line with Recital 9 of the Directive, OESs in the banking and financial market infrastructures sectors are not in the Directive’s scope, as they are already covered by equivalent provisions set by the Bank of England and the Financial Conduct Authority.

Digital Service Providers can be defined as the following:

  • Search engines
  • Online market places
  • Cloud computing services

The Directive states that DSPs with fewer than 50 employees and an annual turnover and/or annual balance sheet of less than €10 million will be exempt from compliance.

Territory map

  • OESs that function and work inside in the EU.
  • DSPs that offer services to those within the EU.

Compliance Requirements for OESs:

OESs need to comply with a set of 14 security requirements based on the following four objectives as defined by the National Cyber Security Centre (NCSC):

Objective A: Managing security risk

A1. Governance

A2. Risk management

A3. Asset management

A4. Supply chain

Objective B: Defending systems against cyber attack

B1. Service protection policies and processes

B2. Identity and access control

B3. Data security

B4. System security

B5. Resilient networks and systems

B6. Staff awareness and training

Objective C: Detecting cyber security events

C1. Security monitoring

C2. Anomaly detection

Objective D: Minimising the impact of cyber security incidents

D1. Response and recovery planning

D2. Improvements

Cyber Assessment Framework (CAF)

A Cyber Assessment Framework is being developed and is due to be published by Spring.  The CAF will provide guidance for auditing and assessing acceptable levels of cyber security of OESs by competent authorities.

Incident reporting for OESs

OESs must report any incidents that occur to their competent authority or the CSIRT within 72 hours.

Compliance Requirements for DSPs

A Commission Implementing Regulation has been developed by the European Commission outlining the security measures and incident reporting thresholds for DSPs.

DSPs are free to take ‘technical and organisational measures appropriate and proportionate to manage the risk posed’ as long as it reflects the broad requirements of the Directive.

The Implementing Regulation also defines the specific metrics for “substantial impact”, which determine the DSP’s duties in relation to notifying the competent authority. Another blog on the compliance requirements will be released soon.

Penalty regime for non-compliance

The NIS Directive’s penalty regime is intended to motivate enhancements in cyber resilience while being proportionate to potential risks.

  • A penalty fine of up to £17 million has been levied in the UK.
  • Competent authorities will define the fines by sector.

The role of competent authorities

Competent authorities will be appointed in each member state. In the UK, multiple competent authorities have been proposed.

Competent authorities are expected to:

  • Designate OESs;
  • Request information related to the NIS Directive;
  • Direct OESs or DSPs to undertake an action in relation to the NIS Directive;
  • Audit, or require an audit of, OESs
  • Monitor the application of the NIS regulations;
  • Prepare and publish guidance;
  • Notify the public about an incident;
  • Investigate the causes of an incident;
  • Enforce an instruction on OESs or DSPs; and
  • Apply penalties on OESs or DSPs.

What can you expect to happen next?

The consultation document states: “The approach of both the Government and Competent Authorities in implementing the requirements of the Directive will be realistic and will take into account the circumstances of each sector as appropriate. Competent Authorities will be expected to engage with their sectors and keep them informed about the approach they intend to take”.

“Competent Authorities will take a reasonable and proportionate approach to enforcement and it is the Government’s expectation that the process of improving the security of Network and Information Systems of the UK’s essential services will take a number of years. However, the Government wants to make clear that even in this first year, Competent Authorities will have the power to issue penalties where significant compliance issues have been discovered and it is evident that organisations are not making active efforts to remedy them.”

How to get started – implement a cyber resilience programme

IT Governance offers a total cyber resilience solution to help you meet your NIS Directive compliance obligations and ensure continued compliance.

Download the free, updated guide on how to comply with the NIS Directive today >>>>