Operators of Essential Services and the NIS Regulations
The Network and Information Systems Regulations 2018 (NIS Regulations) came into effect on 10 May 2018.
The NIS Regulations, derived from the EU Directive on security of network and information systems (NIS Directive), apply to two main groups: digital service providers (DSPs) and operators of essential services (OES). Under the NIS Directive, DPSs within the scope are those that offer their services to EU organisations and residents, and are headquartered in the UK or have nominated a UK-based representative.
OES have stricter security requirements than DSPs because of the typically higher risks they face – service interruptions would have more severe and possibly physical consequences. This also makes them more attractive targets. As such, OES will be more actively monitored and subject to audits by regulators (known as ‘competent authorities’).
What is an operator of essential services?
The NIS Regulations list the following categories of OES:
- Digital infrastructure
The Regulations set out a comprehensive table of criteria to help organisations identify whether they are likely to be classified as an OES within these sectors.
OES are required to register with their competent authority before 10 August 2018. Competent authorities will be expected to keep a register of these and determine by 10 November 2018 if there are any other organisations that fall within the scope of the NIS Regulations.
Consequences for non-compliance with the NIS Regulations
Each UK competent authority will set its own maximum fine. However, that fine will not exceed £17 million – the maximum penalty stipulated by the NIS Regulations – excluding the costs of investigations determining the cause of the incident.
Once an incident occurs, if an organisation is found to be non-compliant, the level of fine issued will be assessed by the competent authority, and will vary depending on the level of compliance and severity of the incident.
Under the NIS Regulations, a multiple competent authority approach has been taken, and the competent authorities have been defined for each sector.
Competent authorities oversee how organisations comply with the Regulations, and should be able to assess both how organisations apply the 14 principles and enforce them.
Compliance requirements for OES
The NIS Regulations set out strict compliance obligations for OES to ensure they “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations” as specified in the NIS Directive.
The National Cyber Security Centre (NCSC) has published guidance that describes 4 objectives, which are then broken down into 14 high-level principles. These principles describe the “mandatory security outcomes to be achieved”; OES can comply with the NIS Regulations by meeting these principles.
Objective A. Managing security risk
- A.1 Governance
- A.2 Risk management
- A.3 Asset management
- A.4 Supply chain
Objective B. Protecting against cyber attack
- B.1 Service protection policies and procedures
- B.2 Identity and access control
- B.3 Data security
- B.4 System security
- B.5 Resilient networks and systems
- B.6 Staff awareness and training
Objective C. Detecting cyber security events
- C.1 Security monitoring
- C.2 Anomaly detection
Objective D. Minimising the impact of cyber security incidents
- D.1 Response and recovery planning
- D.2 Improvements
Incident reporting structure for OES
In line with the General Data Protection Regulation (GDPR), organisations must report incidents of significant impact to their competent authority within 72 hours of becoming aware of the fact.
All incidents must be reported to the competent authority, and competent authorities will outline the incident reporting thresholds for each sector. The UK consultation document for the NIS Directive breaks the incident reporting structure down into two sections:
- Incident response – acts as a support function where the NCSC should be approached for cyber-related incidents, and the competent authority or lead government department should be approached for assistance with non-cyber related incidents.
- Incident notification – acts as a regulatory process wherein incidents must be reported to the competent authority and they will then decide if a follow-up investigation is required.
The Cyber Assessment Framework (CAF)
OES that fall within the scope of the NIS Regulations are subject to audits by their competent authority responsible for monitoring their compliance.
The CAF has been developed by the NCSC as a framework for competent authorities to determine if OES have applied appropriate measures to protect the security of their network and information systems, and can help them audit compliance. The CAF can also be used by OES for self-assessment purposes.
The CAF breaks each principle down into specific outcomes, which are then further broken down into indicators of good practice (IGPs), which an auditor will use to determine if the organisation has correctly applied the principles.
Some competent authorities are expected to develop a sector-specific CAF.
A cyber resilience programme combining information security management, incident response and business continuity management can enable an organisation to identify and avoid being heavily impacted by disruptive incidents.
Implementing a cyber resilience programme aligned to international standards is the most comprehensive way for OES to comply with the requirements of the NIS Regulations. The NCSC also recommends OES take note of best-practice frameworks, including international standards, to meet the 14 principles.
Although the Regulations don’t specify that OES must implement business continuity measures, we strongly recommend you nonetheless do so. In addition to protecting your organisation from harm, it could provide you with a competitive advantage and help you comply with other legislation. The most comprehensive approach to taking business continuity measures is by implementing a business continuity management system (BCMS) that aligns with the international standard ISO 22301.
To ensure that your cyber resilience programme is robust and in line with international best practice, we recommend using the following standards to form your project’s blueprint:
- ISO 27001 – ISMS
- ISO 27035 – Information security incident response
- ISO 22301 – BCMS
How IT Governance can help you achieve NIS Regulations compliance
- We deliver the entire suite of consultancy, training and tools needed for NIS Regulations compliance.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS compliance and manage the project from start to finish.
- As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
- We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
- We offer clear and transparent pricing.
Speak to an expert
If you are an OES and would like more information on our products and services, please contact our NIS Regulations team today.