What is the NIS Directive?
The EU’s NIS Directive (Directive on security of network and information systems) is the first piece of EU-wide cyber security legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure.
The Directive applies to operators of essential services and digital service providers. These include energy, transport, water and healthcare, online marketplaces, search engines and Cloud computing services.
The NIS Directive requires these operators to take appropriate security measures and report incidents that significantly impact the continuity of the services they provide. Digital service providers are also required to notify the authorities of incidents that significantly impact the availability of their services.
What are the NIS Regulations?
The NIS Directive was enacted in UK law as The Network and Information Systems Regulations 2018 – often referred to simply as the ‘NIS Regulations’ – on 10 May 2018.
Free PDF download: NIS Regulations 2018 – A compliance guide
Critical infrastructure services can be attacked physically and digitally, and digital attacks can have significant repercussions in the physical world.
Part of the EU's legislated response was introducing the NIS Directive, which the UK has enacted into law through the NIS Regulations 2018. Download our free paper to learn more about the Regulations.
Who must comply with the NIS Regulations?
The Regulations apply to:
*The Regulations do not apply to DSPs that are considered a ‘micro or small enterprise’ (organisations employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million (about £8.4 million)).
Speak to an expert
Get in touch with one of our experts for more information about NIS compliance and the products and services we can offer to assist your compliance journey. Call us on +44 (0)333 800 7000, or request a call back using the form below.
Consequences for non-compliance with the NIS Regulations/NIS Directive
EU member states must set their own rules on financial penalties and take measures to ensure that they are implemented.
In the UK, non-compliant organisations may be fined up to £17 million. The relevant competent authority will assess the level of fine.
What are the NIS Regulations’ requirements for OES and DSPs?
OES and DSPs must:
- Secure their network and information systems by taking technical and organisational measures appropriate to the risk;
- Ensure service continuity by taking appropriate measures to prevent and minimise the impact of any incidents; and
- Notify their regulator of any security incident that has a significant impact.
Learn more about NIS Regulations compliance for OES
Learn more about NIS Regulations compliance for DSPs
Incident reporting measures under the NIS Regulations
Comparable to breaches under the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, organisations must report “significant” or “substantial” incidents to their competent authority without undue delay and, where feasible, no later than 72 hours after having become aware of them.
In the UK, competent authorities have been assigned on a sectoral basis, each outlining their own incident reporting thresholds.
The Regulations state that OES must consider three factors when determining whether an incident is “significant”:
- The number of users affected by the disruption.
- The duration of the disruption.
- The size of the geographical area affected by the incident.
For DSPs, incidents have a “substantial” impact if they result in:
- Service unavailability for more than 5 million user hours;
- Loss of confidentiality, integrity, availability or authenticity of data accessed over networks or information systems affecting more than 100,000 users;
- A risk to public safety, public security, or loss of life; or
- Material damage to at least one user exceeding €1 million (about £843,000).
Audits and the CAF (Cyber Assessment Framework)
OES’ compliance with the NIS Regulations is monitored through audits conducted by the designated competent authorities.
The CAF, developed by the NCSC (National Cyber Security Centre), guides organisations to assess themselves against 14 security principles and outlines the acceptable security levels for organisations under the Regulations’ requirements.
DSPs are not audited but will be subject to investigations following any incident that may indicate non-compliance with the Regulations.
Learn more about the NIS Regulations CAF
Brexit and the NIS Regulations
Now the UK has left the EU, DSPs that offer services to the EU may need to designate a representative based in the member state in which they primarily offer those services.
More information can be found in the explanatory memorandum to the draft regulations and the government’s Guidance for digital service providers established in the UK in a ‘no deal’ EU Exit scenario.
How to achieve compliance with the NIS Regulations
An excellent approach for OES and DSPs to achieve compliance is to implement a cyber resilience programme that incorporates:
- Robust cyber security defences that are appropriate to the risk; and
- Appropriate tools and systems for dealing with and reporting incidents efficiently.
International standards such as ISO 27001 and ISO 27035 serve as ideal frameworks for achieving NIS Regulations compliance. Section 12 of the Regulations says that the measures DSPs adopt must take “compliance with international standards” into account.
Cyber incident response management, business continuity management and penetration testing can also help organisations achieve a heightened level of cyber resilience and facilitate compliance with the NIS Regulations.
IT Governance can help you with all of these.
Assess your compliance needs with a NIS Regulations gap analysis
Our NIS Regulations Gap Analysis will be conducted by experts to highlight shortcomings in your overall security programme to help you prioritise objectives and establish a roadmap for achieving full NIS Regulations compliance. Kick-start your NIS Regulations compliance journey today.
How IT Governance can help you comply with the NIS Regulations
- We can deliver everything you need for compliance, including consultancy, training and tools.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS Regulations compliance and manage the project from start to finish.
- We work with organisations in all industries and have managed hundreds of projects around the world.
- We’re independent of vendors and certification bodies and encourage our clients to select the best fit for their needs and objectives.
- We have multidisciplinary teams that can undertake rigorous penetration testing of your networks and systems, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and business needs. No organisation or project is ever too big or small.
- We offer clear and transparent pricing.