The UK cyber security law that shipping organisations must comply with

The NIS Regulations (Network and Information Systems Regulations 2018) became UK law on 10 May 2018. The NIS Regulations are derived from the NIS Directive (Directive on security of network and information systems) and apply to OES (operators of essential services) and DSPs (digital service providers).

The NIS Regulations aim to reduce the risk of disruption to critical services by requiring relevant organisations to protect their networks and information systems that affect the availability of the organisation’s essential service. There are numerous sectors and subsectors that must comply with the NIS Regulations’ requirements – including organisations in the shipping industry.

Which organisations does the NIS Regulations apply to?

Under the NIS Regulations, the water transport sector is classified as an OES. There are four subsectors within the sector:

  • Shipping companies
  • Harbour authorities
  • Port operators
  • Operators of vessel traffic services

However, not all organisations in these subsectors will fall in the NIS Regulations’ scope.

Organisations that handle more than five million tonnes of total freight to the UK annually (shipping companies only) with annual passenger numbers greater than ten million, will be expected to comply with the Regulations.

OES are expected to self-identify and report to their competent authority by 10 August 2018.

Who is the competent authority?

For water transport, the competent authority is the Secretary of State for Transport. They are expected to provide compliance guidance and enforce the NIS Regulations on relevant organisations.

All incidents must be reported to the competent authority within 72 hours of an organisation becoming aware. The competent authority has the power to issue financial penalties to organisations that are found to be non-compliant or fail to report an incident.

How to comply – the NCSC’s 14 principles

The NIS Regulations is now UK law, so it’s critical that organisations start assessing their compliance needs to begin their compliance project.

The NCSC (National Cyber Security Centre) has issued 14 high-level principles that OES are expected to adopt in their compliance project to ensure they meet the Regulations’ requirements.

View the 14 principles and relevant compliance solutions >>

Implementing a cyber resilience programme is the most effective way to ensure your organisation meets the requirements of the 14 principles.

The international standard for an ISMS (information security management system), ISO 27001 heavily aligns with the 14 principles. Implementing it alongside a BCMS (business continuity management system) aligned with the international standard ISO 22301 enables a robust cyber resilience programme.

Start assessing your compliance needs

IT Governance’s NIS Regulations Gap Analysis will give you a clear picture of how your current cyber security arrangements match up with the requirements of the 14 principles.

To assess your compliance needs and gain a clear roadmap of the steps you need to take to become fully compliant, book the NIS Regulations Gap Analysis now >>