EU regulators have been concerned about the growing threat to our essential services, particularly in view of the number of successful cyber attacks targeting critical infrastructure. As part of their response, they introduced a law in 2016 dedicated to help protect essential services: the Directive on security of network and information systems (NIS Directive).
The NIS Directive applies to two groups of organisations. The first, operators of essential services (OES), covers critical infrastructure, including the health, energy, water and transportation sectors. The second, digital service providers (DSPs), covers online search engines, Cloud computing services and online marketplaces.
The European Commission mandated that the Directive be incorporated into each EU member states’ national laws by 9 May 2018. That deadline has now passed. However, so far, only six countries have finished making the necessary amendments to incorporate the Directive’s requirements, and two have partially completed this.
Shockingly, that means that 20 member states are yet to take steps to meet the Directive’s requirements. Those states may be subject to infringement procedures launched by the European Commission.
Penalties for non-compliance
Regardless of what progress your national government has made in implementing the Directive, your organisation should start its compliance project sooner rather than later. The compliance requirements are extensive, and improving your security stance will benefit you regardless of existing legislation; particularly with the growing number and severity of cyber attacks, it’s generally important that organisations enhance their cyber security measures.
Once transposed into national laws, organisations may only have until November 2018 to comply, so getting started with your compliance project now is crucial. The Directive outlines penalties for non-compliance similar to be substantial; the UK has imposed fines of up to £17 million and the Dutch government has proposed a maximum penalty of €5 million.
Cyber resilience and the NIS Directive
The most effective way to meet the NIS Directive’s requirements – and other legislation, such as the GDPR – is to implement a robust cyber resilience programme that incorporates best-practice information security, incident response and business continuity measures.
If you’re unsure of what your national government’s specific thresholds will be with respect to the NIS Directive but want to get started on your compliance project to avoid hefty financial penalties, our free NIS Directive compliance guide provides further details on what organisations need to do to meet its requirements. The guide addresses:
- The seven essential sectors that must comply;
- Which DSPs are covered and which are excluded;
- The functions of the proposed CSIRTs network;
- Organisations’ risk management and incident reporting obligations; and
- How adopting cyber resilience helps organisations meet the Directive’s requirements.
