The NIS Regulations (The Network and Information Systems Regulations 2018) became UK law on 10 May 2018, paving the way for the widespread adoption of cyber resilience.
Cyber resilience is an approach to security that enables organisations to defend against attacks and prepare for the inevitability of a breach. It has become an essential method for managing cyber threats, given the proliferation of cyber crime and increased threat of regulatory action for breaches. There’s not only the potential for fines of up to £17 million under the NIS Regulations but also the possibility of mammoth fines under the EU GDPR (General Data Protection Regulation), which you will no doubt have heard about.
Cyber resilience requirements
The NIS Regulations apply to two different types of organisation: OES (operators of essential services) and DSPs (digital service providers). Each has separate compliance requirements – the NCSC’s (National Cyber Security Centre) 14 principles for OES and the Implementing Regulation for DSPs.
However, there are plenty of similarities between the two, not least the need for cyber resilience. The NCSC’s 14 principles includes two instructions regarding cyber resilience:
- 4 Supply chain: The organisation asserts its need for cyber resilience throughout its supply chain.
- 5 Resilient networks and systems: Resilience is built into design, implementation, operation and management of systems that support essential services.
The Implementing Regulation for DSPs mandates that organisations:
- Establish and use contingency plans based on a business impact analysis to ensure “the continuity of the services provided by digital service providers which shall be assessed and tested on a regular basis”; and
- Implement disaster recovery capabilities which shall be assessed and tested on a regular basis.
How to adopt cyber resilience
The NIS Regulations’ cyber resilience requirements have caught a lot of organisations off guard, as the approach is not as widely discussed as more popular frameworks, such as ISO 27001. However, plenty of organisations have adopted it, and it’s rapidly growing in stature.
When you’re ready to make your organisation cyber resilient, you can speak to one of our consultants, who will guide you through the process.
Drawing on our unique blend of practical cyber security know-how and proven management system consultancy expertise, our team will help you implement a NIS Regulations-compliant cyber resilience programme that helps identify attacks and recover from successful breaches.