Why we need the NIS Regulations

If cyber security wasn’t one of your organisation’s top priorities a few months ago, it probably is now. That’s because the threat of cyber crime has continued to grow, and two new legislations have come into effect to ensure organisations have appropriate safeguards.

Of those legislations, most people have focused on the EU GDPR (General Data Protection Regulation). That’s left little room to discuss the NIS Regulations (Network and Information Systems Regulations 2018), which quietly took effect on 10 May 2018.

This blog redresses the balance, explaining why you need to take the NIS Regulations seriously and how you can achieve compliance.

GDPR vs NIS Regulations

Separating the GDPR and the NIS Regulations isn’t as simple as it seems. They are both EU legislations covering security, and they share a lot of the same requirements. However, whereas the GDPR focuses on personal data, the NIS Regulations are concerned with critical infrastructure.

The need for legislation addressing this should be obvious. There are growing fears about targeted attacks on essential services, which could cause chaos. This was partly seen with 2017’s WannaCry attack, which infected the NHS. A deliberate attack would likely cause even greater damage.

But the NIS Regulations aren’t only about cyber attacks. Their scope includes any kind of failure that has security ramifications or that will lead to disruption.

Who do the NIS Regulations apply to?

The NIS Regulations apply to two types of organisation:

There is one caveat: the Regulations don’t apply to DSPs that employ fewer than 50 people and whose annual turnover and/or balance sheet total is less than €10 million (about £9 million).

What’s an OES?

An OES is an organisation in any of the following sectors:

  • Energy
  • Transport
  • Health
  • Water
  • Digital infrastructure

What’s a DSP?

DSPs consist of three types of organisation:

  • Search engines
  • Cloud computing services
  • Online marketplaces

The NIS Regulations’ requirements

The NIS Regulations require OES and DSPs to:

  • Take appropriate technical and organisational measures to secure network and information systems;
  • Take into account the latest developments and consider the potential risks facing the systems.;
  • Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
  • Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.

There are also specific requirements for OES (outlined in the National Cyber Security Centre’s 14 principles) and DSPs (outlined in the Implementing Regulation).

Download our free compliance guide to

NIS Regulations gap analysis

With the NIS Regulations now UK law, organisations must start assessing their compliance needs. Implementing the Regulations’ requirements will be a long, hard process, so it’s important to be as prepared as possible. Our NIS Regulations Gap Analysis service gives you all the information you need from the outset, streamlining the compliance process.

A specialist cyber security consultant will work with you to:

  • Interview key individuals in your organisation;
  • Assess your current cyber security arrangements; and
  • Review your existing policies and procedures for relevancy, effectiveness and efficiency to determine any potential problems that may indicate non-compliance with the NIS Regulations.

You will then receive a detailed gap analysis report that collates the findings of this assessment.

Contact us for a free, no obligation quote today >>

Take part in the NIS Regulations survey to stand a chance of winning a £300 voucher that can be used against any product or service purchased from IT Governance.