By 9 May 2018, the Directive on security of network and information systems (NIS Directive) will have been transposed into UK law. However, unlike the EU General Data Protection Regulation (GDPR) (GDPR), which organisations are currently scrambling to comply with, there is little commotion about the NIS Directive.
That’s partly because EU member states have until November 2018 to identify certain organisations that they deem to be within the Directive’s scope. But that doesn’t mean that it’s any less important or urgent than the GDPR. The Directive is complex, and organisations’ resources are already being diverted to achieving GDPR compliance, so it’s important to set aside as much time as possible to implementing the requirements of the Directive that don’t overlap with the GDPR.
Who the NIS Directive applies to
The Directive applies to two groups. The first, operators of essential services (OES), includes the health, energy, water and transportation sectors. The second, digital service providers (DSPs), covers online search engines, Cloud computing services and online marketplaces.
The Directive doesn’t apply to small and micro enterprises, which the UK government identifies as organisations with fewer than 50 employees and with an annual turnover and/or balance sheet total of less than €10 million (about £8.7 million).
The NIS Directive’s requirements
Both OES and DSPs must:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Account for the latest developments and consider the potential risks facing their systems;
- Take appropriate measures to prevent and minimise the impact of security incidents and to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident that has a significant impact on service continuity.
There are also separate requirements for OES and DSPs. The National Cyber Security Centre (NCSC) has outlined 14 high-level security principles that all OES are expected to comply with, and the European Commission sets out the security measures and incident reporting thresholds for DSPs in more detail.
Consequences of failing to comply
Each EU member state is responsible for enforcing the NIS Directive, after transposing it into national law, and setting its own rules on disciplinary action for non-compliance. The UK has opted for penalties similar to those in the GDPR, with maximum fines of £17 million or 4% of the organisation’s annual global turnover – whichever is higher.
The level of fine will be assessed by the competent authority, and can vary between sectors.
Want to know more?
Our free NIS Directive compliance guide goes into more detail about the Directive and what organisations need to do to meet its requirements. It covers:
- The Directive’s requirements and the UK government’s implementation approach;
- The proposed assurance regime;
- Which organisations are in scope of the NIS Directive;
- The proposed security requirements for compliance; and
- How you can implement a compliance programme to meet the NIS Directive’s requirements.