With many companies working towards compliance with the EU General Data Protection Regulation (GDPR), another EU legislation that is expected to be transposed into law in May 2018 is falling under the radar: the Directive on Security of Network and Information Systems (NIS Directive).
The NIS Directive requires operators of essential services (OESs) and digital service providers (DSPs) to implement effective security measures appropriate to associated risks, as well as measures that minimise the impact of incidents and ensure business continuity.
Defining digital service providers
Technology companies that will fall under the authority of the Directive are outlined below.
“An online marketplace is defined as a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods and services. Online marketplaces are only in the scope if sales are made on the platform itself.” Examples include Gumtree and Amazon. E-commerce companies are out of scope.
“An online search engine is a digital service that allows users to perform searches of all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found.”
Any company that offers:
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS); or
Business-to-business ‘Software as a Service’ (SaaS).
DSPs with fewer than 50 employees and whose annual turnover and/or annual balance sheet total doesn’t exceed €10 million will not be required to comply with the NIS Directive.
Key implications for digital services providers
- Security requirements
Broad guidelines have been laid out for how DSPs are required to improve their cyber security, with further guidance expected to be issued at a later date based on the UK’s consultation document issued in August 2017.
The UK government has set five high-level security principles based on the requirements of the NIS Directive that DSPs must implement to manage the risks posed to their information systems:
- “proportionate security measures in place to protect services and systems from cyber-attack or systems failure;
- appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage incidents;
- capabilities to minimise the impacts of a cyber security incidents on the delivery of services including the restoration of those services;
- capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, services;
- measures in place are, where possible, compatible or comparable to internationally recognised cyber security standards.”
- Incident reporting
The consultation document makes reference to an Implementation Act to be issued by the European Commission that will further establish incident reporting guidelines. The document proposes that DSPs will have a 72-hour window to report an incident from the time of discovery, and that incidents concerning supply, provision confidentiality or integrity of the service must be reported.
- Competent authorities to monitor compliance
The UK government has proposed that the Information Commissioner’s Office (ICO) acts as the competent authority to monitor implementation and compliance in DSPs.
The ICO will be responsible for deciding whether to make an incident public, obtaining information to assess compliance, identifying breaches of the Directive and enforcing any penalties.
- Penalties for non-compliance
DSPs will receive a ‘lighter touch’ approach to monitoring compliance with the NIS Directive than OESs, and enforcement will only be applied after an incident has occurred, or if they are reported to be non-compliant.
The UK consultation document suggest that the financial penalties for non-compliance will consist of two bands:
Band one – for lesser offences such as failure to cooperate or comply with instructions from a competent authority or failure to report incidents:
- A fine set at a maximum of €10 million or 2% of annual turnover.
Band two – for failure to implement appropriate and proportionate security measures:
- A fine set at a maximum of €20 million or 4% of annual turnover (whichever is greater).
Preparations for NIS Directive compliance
With the compliance deadline for the NIS Directive just around the corner, it’s imperative that any DPSs that must meet its requirements begin preparations now.
If your organisation is going to be subject to the requirements of the NIS Directive, IT Governance offers a comprehensive range of cyber resilience solutions to help you meet your obligations and ensure continued compliance.
View our cyber resilience information page for more information.
- NIS Directive Foundation Training Course – register your interest to gain a comprehensive introduction to the NIS Directive.