Although much of the focus in 2018 has been on ensuring compliance with the EU GDPR (General Data Protection Regulation), another EU directive became UK law in May – the NIS Regulations (Network and Information Systems Regulations 2018).
What are the NIS Regulations?
On 10 May 2018, the NIS Directive (Directive on security of network and information systems) was transposed into UK law as the NIS Regulations. Whereas the GDPR deals with the security of personal data, the NIS Directive aims to ensure the availability of systems and networks for organisations in critical infrastructure sectors where a disruption to service could have a detrimental impact on the economy and/or society at large.
With 39% of critical infrastructure organisations failing basic cyber security, it’s crucial that businesses understand what the Regulations mean for them, and that their goal is not just to mitigate the threat of cyber attacks.
In August 2017, almost the entire British Airways fleet was grounded because of a power surge, leaving 75,000 people stranded and costing the airline about £100 million. The NIS Regulations aim to minimise this sort of chaos.
Who does it apply to?
The NIS Regulations apply to two different categories of organisations:
- OES (operators of essential services) in the UK’s energy, transport, health, water and digital infrastructure sectors.
- DSPs (digital service providers) – digital businesses, online marketplaces, Cloud computing services and search engines.
DSPs employing fewer than 50 people and with an annual turnover and/or balance sheet total less than €10 million are exempt from the NIS Regulations.
What are the penalties for non-compliance?
In the UK, organisations found to be non-compliant face fines of up to £17 million.
What must organisations do to comply?
OES and DSPs have individual compliance requirements under the NIS Regulations:
- For OES, the NCSC (National Cyber Security Centre) has published 14 high-level principles for compliance. From these principles, the NCSC has produced its CAF (Cyber Assessment Framework), which will be used by competent authorities to assess compliance during mandatory audits.
- Because of their cross-border nature, DSPs have uniform compliance requirements across the EU. The European Commission’s Implementation Regulation outlines specific obligations for DSPs across the EU, and ENISA (the European Union Agency for Network and Information Security) has produced technical guidelines to support compliance for DSPs alongside this. Compliance with the Implementation Regulation is reinforced by the NIS Regulations.
When must businesses comply?
The NIS Regulations came into full effect on 10 May 2018. Although the first year will be seen as a period of implementation and support, the UK government has issued a dire warning that action will be taken for serious contraventions.
In the UK, competent authorities for OES have been defined by sector. A full list of these can be found in the NIS Regulations. OES will be subject to regular audits from their competent authority and must register with them by 10 August 2018.
For DSPs, the competent authority in the UK is the ICO (Information Commissioner’s Office). DSPs face a ‘lighter touch’ approach, and aren’t subject to regular audits, but will face an audit if they are suspected of being non-compliant. They must self-identify and register with the ICO by 1 November 2018.
What can businesses do now?
You can learn more about the NIS Regulations and what organisations need to consider in their compliance project in our free UK compliance guide.
It is now UK law to comply with the NIS Regulations, so all organisations within the scope should be working towards compliance.
IT Governance’s NIS Regulations Gap Analysis will assess the gaps in your current cyber security arrangements against either the CAF (for OES) or the Implementation Regulation and ENISA’s technical guidance (for DSPs), providing you with a clear roadmap to compliance.