The Directive on Security of Network and Information Systems (NIS Directive)
NIS Directive compliance: who must comply?
The Directive applies to:
- Operators of Essential Services (OES) that are established in the EU; and
- Digital Service Providers (DSP) that offer services to persons within the EU1.
1The Directive does not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
The NIS Directive will come into effect before the UK leaves the EU, and the UK government has confirmed that the Directive will apply irrespective of Brexit.
The NIS Directive requires OESs and DSPs to:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Take into account the latest developments and consider the potential risks facing the systems;
- Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
Consequences for non-compliance with the NIS Directive
Member states are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented.
The UK Government’s response to a public consultation outlines the government’s plans to facilitate NIS Directive compliance. Non-compliant organisations may be fined up to £17 million. The level of fine will be assessed by the competent authority, and will vary between sectors.
What is an Operator of Essential Services (OES)?
The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communications technology (ICT). Certain businesses operating in critical industries are known as OESs.
The sectors affected by the NIS Directive are:
Download the UK Compliance Guide
- Digital infrastructure
Specific compliance requirements for OESs:
The UK government has published 14 high-level security principles developed by the National Cyber Security Centre (NCSC) which all operators will be expected to comply with.
Objective A. Managing Security Risk
- A.1 Governance
- A.2 Risk management
- A.3 Asset management
- A.4 Supply chain
Objective B. Defending systems against cyber attack
- B.1 Service protection policies and procedures
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Resilient networks and systems
- B.6 Staff awareness and training
Objective C. Detecting cyber security events
- C.1 Security monitoring
- C.2 Anomaly detection
Objective D. Minimising the impact of cyber security incidents
- D.1 Response and recovery planning
- D.2 Improvements
Audits and the Cyber Assessment Framework (CAF)
Compliance with the NIS Directive by OESs will be monitored through audits conducted by designated competent authorities.
A newly developed CAF will provide guidance for assessing organisations against the 14 security principles and will outline the acceptable levels of security for organisations under the requirements of the NIS Directive. The CAF is due to be released in Spring 2018.
Incident reporting measures under the NIS Directive
Like the General Data Protection Regulation (GDPR), organisations must “without undue delay and, where feasible, no later than 72 hours after having become aware of an incident” report incidents to the Competent Authority.
Competent authorities will determine incident reporting thresholds for each sector (to be published in May 2018).
The incident reporting structure has been broken down into two sections:
- Incident response – acts as a support function where the NCSC should be approached for cyber-related incidents, the competent authority or lead government department should be approached for assistance with non-cyber related incidents.
- Incident notification – acts as a regulatory process wherein incidents must be reported to the competent authority and they will then decide if a follow-up investigation is required.
What is a DSP?
The Directive applies to DSPs that normally provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The onus is on organisations to determine for themselves whether they are DSPs and subject to the Directive’s security and notification requirements.
The Directive lists the following categories of DSP:
Download the UK Compliance Guide
- Search engines.
- Cloud computing services.
- Online marketplaces.
Specific compliance requirements for DSPs
DSPs are required to ensure a level of security appropriate to the risk posed in offering covered services, taking the following elements into consideration:
- The security of systems and facilities.
- Incident handling.
- Business continuity management.
- Monitoring, auditing and testing.
- Compliance with international standards.
The Directive states that DSPs “remain free to take technical and organisational measures they consider appropriate and proportionate to manage the risks”, as long as the measures provide an “appropriate level of security” and factor in the NIS Directive’s requirements.
The Commission’s Implementing Regulation for DSPs
An Implementation Regulation provides further clarity for DSPs on how they will be expected to comply with the NIS Directive.
In addition to information security and business continuity measures, DSPs need to establish incident response measures based on an assessment of the incident’s severity.
The Implementation Regulation will take effect from 10 May 2018, and will apply to all EU member states.
How to achieve compliance with the NIS Directive
The best approach to achieving compliance is for DSPs and operators of essential services (OES) to implement a cyber resilience programme that incorporates:
- Robust cyber security defences;
- Adequate cyber risk preventative measures; and
- Appropriate tools and systems for dealing with and reporting incidents.
International standards such as ISO 27001 and ISO 22301 serve as ideal frameworks for achieving NIS Directive compliance. In fact, Article 19 mentions that compliance with international standards is encouraged.
Where to start: a total cyber resilience solution
Organisations should be looking to develop a cyber resilient posture that combines best practice from leading international standards, as highlighted in the high-level security principles and the associated guidance issued by the NCSC.
View our cyber resilience solutions to get started today.
Speak to an expert
Why IT Governance?
- We deliver the entire suite of consultancy, training and tools needed for NIS compliance.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS compliance and manage the project from start to finish.
- As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
- We’re independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives.
- We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
- We offer clear and transparent pricing.