What is the NIS Directive?
The Directive on security of network and information systems (NIS Directive) is an EU-wide directive that focuses on the availability of crucial network and information systems in order to protect the union’s critical infrastructure and thereby ensure service continuity.
This Directive was transposed into UK law as The Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018.
Who must comply with the NIS Regulations?
The Regulations apply to:
1The Regulations do not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
Find out more about your organisation’s compliance requirements >>
Brexit and the NIS Regulations
The NIS Regulations comes into effect before the UK leaves the EU, and the UK government has confirmed that the Regulations will apply irrespective of Brexit.
Consequences for non-compliance with the NIS Regulations/NIS Directive
Member states are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented. In the UK, non-compliant organisations may be fined up to £17 million. The level of fine will be assessed by the competent authority, and will vary between sectors.
Download our free green paper to find out how you can prepare for compliance >>
The NIS Regulations require OES and DSPs to:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Take into account the latest developments and consider the potential risks facing the systems;
- Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
Incident reporting measures under the NIS Regulations
Like the General Data Protection Regulation (GDPR), organisations must “without undue delay and, where feasible, no later than 72 hours after having become aware of an incident” report incidents to the competent authority.
Competent authorities will outline incident reporting thresholds for each sector.
The incident reporting structure has been broken down into two sections:
- Incident response – acts as a support function where the National Cyber Security Centre (NCSC) should be approached for cyber-related incidents, the competent authority or lead government department should be approached for assistance with non-cyber related incidents.
- Incident notification – acts as a regulatory process wherein incidents must be reported to the competent authority and they will then decide if a follow-up investigation is required.
What is an OES?
The NIS Directive/Regulations are aimed at bolstering cyber security across sectors that rely heavily on information and communications technology (ICT). Certain businesses operating in critical industries are known as OES.
The NIS Regulations apply to the following sectors:
Find out more about the compliance requirements for OES >>
- Digital infrastructure
Specific compliance requirements for OES
The UK government has published 14 high-level security principles developed by the NCSC, which all OES will be expected to comply with.
Managing security risk
- A.1 Governance
- A.2 Risk management
- A.3 Asset management
- A.4 Supply chain
Protecting against cyber attack
- B.1 Service protection policies and procedures
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Resilient networks and systems
- B.6 Staff awareness and training
Detecting cyber security events
- C.1 Security monitoring
- C.2 Anomaly detection
Minimising the impact of cyber security incidents
- D.1 Response and recovery planning
- D.2 Improvements
Audits and the cyber assessment framework (CAF)
OES’ compliance with the NIS Regulations will be monitored through audits conducted by designated competent authorities.
A newly developed CAF will provide guidance for organisations to assess themselves against the 14 security principles and will outline the acceptable levels of security for organisations under the requirements of the NIS Regulations.
DSPs will not be audited but will be subject to investigations following any incident that may indicate non-compliance with the Regulations.
What is a DSP?
The NIS Regulations apply to DSPs that normally provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The onus is on organisations to determine for themselves whether they are DSPs and subject to the Regulation’s security and notification requirements. In the UK, DSPs will be required to register with the Information Commissioner’s Office (ICO), which has been appointed as the competent authority for regulating DSPs.
The NIS Regulations list the following categories of DSP:
Find out more about the compliance requirements for DSPs >>
- Search engines
- Cloud computing services
- Online marketplaces
General compliance guidance for DSPs
An Implementing Regulation provides further clarity for DSPs on how they will be expected to comply with the NIS Directive, and this has been taken into account in the UK’s NIS Regulations. The Implementing Regulation took effect on 10 May 2018 and applies to all EU member states.
DSPs are required to ensure a level of security appropriate to the risk posed in offering covered services, taking into consideration:
- The security of systems and facilities;
- Incident handling;
- Business continuity management;
- Monitoring, auditing and testing; and
- Compliance with international standards.
Alongside the Implementing Regulation, ENISA (European Union Agency for Network and Information Security) has provided “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers”, which describes 27 security objectives.
In addition to information security and business continuity measures, DSPs need to establish incident response measures based on an assessment of the incident’s severity.
Download the NIS Regulations UK compliance guide >>
How to achieve compliance with the NIS Regulations
The best approach to achieving compliance is for DSPs and OES to implement a cyber resilience programme that incorporates:
- Robust cyber security defences;
- Adequate cyber risk preventative measures; and
- Appropriate tools and systems for dealing with and reporting incidents.
International standards such as ISO 27001 and ISO 27035 serve as ideal frameworks for achieving NIS Regulations compliance. In fact, Article 19 mentions that compliance with international standards is encouraged.
The implementation of business continuity management, penetration testing and cyber incident response management can help organisations achieve a heightened level of cyber resilience and help facilitate compliance with the NIS Regulations.
Best selling products and service for NIS Regulations compliance
Browse our range of bestselling products and services below to kick-start your NIS complaince journey.
Start assessing your compliance needs with a NIS Regulations Gap Analysis
Conducted by experts, the NIS Regulations Gap Analysis will highlight shortcomings in your overall security programme to help you prioritise objectives an establish a roadmap for achieving full compliance with the NIS Regulations.
Contact us for a free, no obligation quote today >>
How IT Governance can help you achieve NIS compliance
- We deliver the entire suite of consultancy, training and tools needed for NIS compliance.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS compliance and manage the project from start to finish.
- As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
- We’re independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives.
- We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
- We offer clear and transparent pricing.