What is the NIS Directive?
The EU’s NIS Directive (Directive on security of network and information systems) is the first piece of EU-wide cyber security legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure.
What are the NIS Regulations?
The NIS Directive was enacted in UK law as The Network and Information Systems Regulations 2018 – often referred to simply as the ‘NIS Regulations’ – on 10 May 2018.
Who must comply with the NIS Regulations?
The Regulations apply to:
*The Regulations do not apply to DSPs that are considered a ‘micro or small enterprise’ (organisations employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million (about £8.7 million))
Consequences for non-compliance with the NIS Regulations/NIS Directive
Member states are required to set their own rules on financial penalties and take the measures to ensure that they are implemented.
In the UK, non-compliant organisations may be fined up to £17 million. The level of fine will be assessed by the relevant competent authority.
What are the NIS Regulations’ requirements for OES and DSPs?
OES and DSPs must:
- Secure their network and information systems by taking technical and organisational measures appropriate to the risk;
- Ensure service continuity by taking appropriate measures to prevent and minimise the impact of any incidents; and
- Notify their regulator of any security incident that has a significant impact.
Learn more about NIS Regulations compliance for OES >>
Learn more about NIS Regulations compliance for DSPs >>
Incident reporting measures under the NIS Regulations
Comparable to breaches under the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, organisations must report “significant” or “substantial” incidents to their competent authority without undue delay and, where feasible, no later than 72 hours after having become aware of them.
In the UK, competent authorities have been assigned on a sectoral basis, each of which outline their own incident reporting thresholds.
The Regulations state that OES must consider three factors when determining whether an incident is “significant”:
- The number of users affected by the disruption;
- The duration of the disruption; and
- The size of the geographical area affected by the incident.
For DSPs, incidents have a “substantial” impact if they result in:
- Service unavailability for more than 5 million user hours;
- Loss of confidentiality, integrity, availability or authenticity of data accessed over networks or information systems affecting more than 100,000 users;
- A risk to public safety, public security or loss of life; or
- Material damage to at least one user exceeding €1 million (about £860,000).
Audits and the CAF (Cyber Assessment Framework)
OES’ compliance with the NIS Regulations will be monitored through audits conducted by the designated competent authorities.
The CAF, developed by the NCSC (National Cyber Security Centre), will provide guidance for organisations to assess themselves against 14 security principles and will outline the acceptable levels of security for organisations under the Regulations’ requirements.
DSPs will not be audited, but will be subject to investigations following any incident that may indicate non-compliance with the Regulations.
Learn more about the NIS Regulations CAF >>
Want to find out more information about the NIS Regulations?
Download one of our free green papers today to find out how to meet your NIS Regulations compliance obligations.
Brexit and the NIS Regulations
The UK government published the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019 – a statutory instrument made under the European Union (Withdrawal) Act 2018 – in March 2019. They will come into force on the 20th day after exit day.
These Regulations introduce no major differences for UK OES or DSPs, but amend the NIS Regulations to:
- Remove certain obligations from the NCSC regarding international cooperation;
- Remove references to EU-based service providers; and
- Convert euros to sterling.
When the UK leaves the EU, DSPs that offer services to the EU may need to designate a representative based in the member state in which they primarily offer those services.
More information can be found in the explanatory memorandum to the draft regulations and the government’s Guidance for digital service providers established in the UK in a ‘no deal’ EU Exit scenario.
How to achieve compliance with the NIS Regulations
An excellent approach for OES and DSPs to achieve compliance is to implement a cyber resilience programme that incorporates:
- Robust cyber security defences that are appropriate to the risk; and
- Appropriate tools and systems for dealing with and reporting incidents efficiently.
International standards such as ISO 27001 and ISO 27035 serve as ideal frameworks for achieving NIS Regulations compliance. In fact, Section 12 of the Regulations says that the measures DSPs adopt must take “compliance with international standards” into account.
Cyber incident response management, business continuity management and penetration testing can also help organisations achieve a heightened level of cyber resilience and facilitate compliance with the NIS Regulations.
IT Governance can help you with all of these.
Assess your compliance needs with a NIS Regulations gap analysis
Conducted by experts, our NIS Regulations Gap Analysis will highlight shortcomings in your overall security programme to help you prioritise objectives and establish a roadmap for achieving full NIS Regulations compliance. kick-start your NIS Regulations compliance journey today.