While businesses scramble to ready themselves for the General Data Protection Regulation (GDPR), a further piece of EU legislation is due to be passed into law by the UK parliament – and it’s going almost undetected.
Next year, the UK will implement the EU directive on the security of network and information systems, known as the NIS Directive.
With 39% of critical infrastructure organisations failing basic cyber security, it’s crucial for businesses to understand what the NIS Directive means for them.
What is the NIS Directive?
The NIS Directive is the first piece of EU-wide legislation on cyber security, and will impose new network and information security requirements on operators of essential services (OESs) and on digital service providers (DSPs).
Where the GDPR is aimed at protecting personal data, the NIS Directive is aimed at protecting essential infrastructure.
Its measures are designed to make sure critical IT systems in central sectors of the economy – such as banking, energy, health and transport – are secure. The new laws are set to impact a large number of businesses.
Who does it apply to?
The NIS Directive applies to two different categories of organisations:
- OESs in the energy, transport, banking, financial market infrastructures, health, water and digital infrastructure sectors.
- DSPs – digital businesses that are considered of general importance when it comes to cyber security, such as online marketplaces, Cloud computing services and search engines.
How long do businesses have to comply?
The new Directive will come into full effect in May 2018 alongside the GDPR. EU member states will then have a further six months to identify the “operators of essential services”, leaving businesses until November 2018 to comply with the legislation.
What are the penalties for non-compliance?
Although penalties for non-compliance are not prescribed in the Directive, fines of between €10 million and €20 million, or 2% to 4 % of annual global turnover, have been proposed by the UK government.
What can businesses do now?
To comply with the NIS Directive, organisations in critical infrastructure industries should implement cyber resilience programmes that incorporate the following:
- Robust cyber security defences.
- Adequate cyber risk preventative measures.
- Appropriate tools and systems to deal with and report incidents and data breaches.