The Directive on security of network and information systems (NIS Directive/NIS Regulations)
The Directive on security of network and information systems (NIS Directive) aims to achieve a high, common level of network and information systems security across the EU. This Directive was transposed into UK law as The Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018.
Click here to download our free green paper on how your organisation can prepare for compliance >>
Who must comply with the NIS Regulations?
The Regulations apply to:
- Operators of Essential Services (OES) that are established in the EU; and
- Digital Service Providers (DSPs) that offer services to persons within the EU1.
1The Regulations do not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
The NIS Regulations comes into effect before the UK leaves the EU, and the UK government has confirmed that the Regulations will apply irrespective of Brexit.
Consequences for non-compliance with the NIS Regulations/NIS Directive
Member states are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented. In the UK, non-compliant organisations may be fined up to £17 million. The level of fine will be assessed by the competent authority, and will vary between sectors.
Find out how you can prepare for compliance >>
The NIS Regulations require OES and DSPs to:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Take into account the latest developments and consider the potential risks facing the systems;
- Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
Incident reporting measures under the NIS Regulations
Like the General Data Protection Regulation (GDPR), organisations must “without undue delay and, where feasible, no later than 72 hours after having become aware of an incident” report incidents to the competent authority.
Competent authorities will outline incident reporting thresholds for each sector.
The incident reporting structure has been broken down into two sections:
- Incident response – acts as a support function where the National Cyber Security Centre (NCSC) should be approached for cyber-related incidents, the competent authority or lead government department should be approached for assistance with non-cyber related incidents.
- Incident notification – acts as a regulatory process wherein incidents must be reported to the competent authority and they will then decide if a follow-up investigation is required.
What is an OES?
The NIS Directive/Regulations are aimed at bolstering cyber security across sectors that rely heavily on information and communications technology (ICT). Certain businesses operating in critical industries are known as OES.
The NIS Regulations apply to the following sectors:
- Digital infrastructure
Specific compliance requirements for OES
The UK government has published 14 high-level security principles developed by the NCSC, which all OES will be expected to comply with.
Objective A. Managing security risk
- A.1 Governance
- A.2 Risk management
- A.3 Asset management
- A.4 Supply chain
Objective B. Protecting against cyber attack
- B.1 Service protection policies and procedures
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Resilient networks and systems
- B.6 Staff awareness and training
Objective C. Detecting cyber security events
- C.1 Security monitoring
- C.2 Anomaly detection
Objective D. Minimising the impact of cyber security incidents
- D.1 Response and recovery planning
- D.2 Improvements
Audits and the cyber assessment framework (CAF)
OES’ compliance with the NIS Regulations will be monitored through audits conducted by designated competent authorities.
A newly developed CAF will provide guidance for organisations to assess themselves against the 14 security principles and will outline the acceptable levels of security for organisations under the requirements of the NIS Regulations.
DSPs will not be audited but will be subject to investigations following any incident that may indicate non-compliance with the Regulations.
Download the NIS Regulations UK compliance guide >>
What is a DSP?
The NIS Regulations apply to DSPs that normally provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The onus is on organisations to determine for themselves whether they are DSPs and subject to the Regulation’s security and notification requirements. In the UK, DSPs will be required to register with the Information Commissioner’s Office (ICO), which has been appointed as the competent authority for regulating DSPs.
The NIS Regulations list the following categories of DSP:
- Search engines
- Cloud computing services
- Online marketplaces
The EU Commission’s Implementing Regulation for DSPs
An Implementing Regulation provides further clarity for DSPs on how they will be expected to comply with the NIS Directive, whichand this has been taken into account in the UK’s NIS Regulations.
DSPs are required to ensure a level of security appropriate to the risk posed in offering covered services, taking into consideration:
- The security of systems and facilities;
- Incident handling;
- Business continuity management;
- Monitoring, auditing and testing; and
- Compliance with international standards.
The Directive states that DSPs “remain free to take technical and organisational measures they consider appropriate and proportionate to manage the risks”, as long as the measures provide an “appropriate level of security” and factor in the NIS Directive’s requirements.
In addition to information security and business continuity measures, DSPs need to establish incident response measures based on an assessment of the incident’s severity.
The Implementation Regulation will take effect from 10 May 2018, and will apply to all EU member states.
Download the NIS Regulations UK compliance guide >>
How to achieve compliance with the NIS Regulations
The best approach to achieving compliance is for DSPs and OES to implement a cyber resilience programme that incorporates:
- Robust cyber security defences;
- Adequate cyber risk preventative measures; and
- Appropriate tools and systems for dealing with and reporting incidents.
International standards such as ISO 27001 and ISO 27035 serve as ideal frameworks for achieving NIS Regulations compliance. In fact, Article 19 mentions that compliance with international standards is encouraged.
The implementation of business continuity management, penetration testing and cyber incident response management can help organisations achieve a heightened level of cyber resilience and help facilitate compliance with the NIS Regulations.
How IT Governance can help you achieve NIS compliance
- We deliver the entire suite of consultancy, training and tools needed for NIS compliance.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS compliance and manage the project from start to finish.
- As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
- We’re independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives.
- We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
- We offer clear and transparent pricing.
Speak to a NIS Regulations expert
Please contact our NIS Regulations team for advice and guidance on our products and services.