Technology has brought us into a world that many of us only poorly understand. While we may have some grasp of this technology, there is often a lack of real understanding as to how these technologies work and interact. A few decades ago, we understood that if the water levels fell then the hydroelectric plant would not be able to generate electricity. We knew that interchanges connected our phones to other phones elsewhere in the world. We had some appreciation of the fact that supermarkets and other retailers would have to call suppliers and wholesalers in order to have food delivered. Essential services and infrastructure were quite simple to understand.
Nowadays, so much has been automated and interlinked that it can be difficult to understand how our phone calls are connected or where our power comes from. Most people do not need to really understand how society continues to function. They do not need to know that RFID chips attached to crates of fruit make sure there is always fresh fruit on supermarket shelves. The electricity grid is driven by hundreds of power stations, with the flow managed, surpluses stored and shortfalls accounted for automatically. Our phones connect to remote cell towers and flicker between them to maintain the best possible connection. For the most part, as long as everything keeps working, we have no desire to understand any of this.
What we do want, however, is reassurance that these services will not be interrupted. This is not just for the benefit of the common person: our whole society relies on critical infrastructure, and this infrastructure is supported by a set of services. In the modern world, these services and infrastructure can be attacked not just physically but also digitally, and digital attacks can have significant repercussions in the physical world.
In 2014, a German steel factory suffered a cyber attack that caused significant physical damage to its machinery by turning off industrial controls. More famously, the original Stuxnet worm infected the Natanz nuclear facility in Iran in 2010 and destroyed almost one fifth of the country’s nuclear centrifuges. In 2015, Ukraine was the victim of what is believed to be the first successful attack against a power grid, which left 230,000 people without power for up to six hours.
Cyber criminals and the point of weakness
Unfortunately, cyber criminals need to find just one weakness to infiltrate and potentially cause damage, but an organisation has to patch all of its vulnerabilities and defend against all types of attacks. These threats are significant not just because they are difficult to stop but also because they are increasingly within reach of even common criminals. Only a few years ago, a Polish teenager was able to hack into the Lodz tram network, derailing several carriages and injuring 12 people ; you might have reasonably assumed that such attacks came from state actors or well-funded terrorist or dissident groups, but it is the nature of information to be replicated and reused. As such, the threat is proliferating and will continue to do so.
In the European Union, threats to infrastructure and essential services can be especially severe because so many organisations operate across borders – a single service may be critical to several nations, so a single threat can affect all of them. This also means that each nation has an obligation to its neighbours to adequately protect its critical infrastructure and services.
These are the conditions of the modern world, and protecting our infrastructure and critical services is now recognised as essential. Without electricity, water, sewage, transport and the Internet, it is almost impossible to do business – or indeed for our modern society as a whole to function – and the EU is, after all, a major trading partnership.
The EU’s Directive on security of network and information systems (NIS Directive) is part of the legislated response to these threats. It aims to establish a “high common level of security of network and information systems across the Union” (NIS Directive, Preamble), which will not only protect the Union’s economy but also those of its trading partners, because they will benefit from the stability of the EU’s infrastructure and services.
It is important to understand that the Directive is not just about cyber security or just about service continuity. It certainly requires cyber security and business continuity measures, but it is more accurately a synthesis of the two: cyber resilience. The fundamental thrust of the legislation is not simply that critical infrastructure organisations must be able to defend themselves, but that they must be able to continue functioning in the event of an incident. As part of this, there must also be a degree of communication and cooperation between EU Member States, both to share intelligence and to limit the spread of any attack.
This green paper explains the applicability of the Directive, summarises its requirements and provides expert guidance on how your organisation can demonstrate compliance.
Background of the NIS Directive
When the Directive was adopted in 2016, most EU Member States already had some regulations or laws regarding how critical infrastructure and services must be protected. These regulations and laws lacked a consistent approach, however: what one country thinks is an adequate level of cyber security may not meet their neighbour’s standards, or while one country has applied conditions to a specific sector, their neighbour may not.
On the face of it, this may not appear to be a problem: a country’s infrastructure should be its own concern, and it is in that country’s interests to protect it, regardless of the measures its neighbours are taking or its antipathy to EU intervention. With such interconnected economies, however, and the prevalence of cross-border infrastructure and services, it is important for there to be some measure of consistency and cooperation between Member States. This is especially true of digital service providers (DSPs), which often operate across borders.
The EU, as most organisations should be aware, began and remains primarily a tool for streamlining business throughout the continent. To this end, it has largely focused on standardising and formalising trade and business. The EU has two types of legal instrument that are used to regulate business:
These set minimum standards and parameters for the EU, but leave the actual implementation down to the states themselves. When a directive is passed, the EU sets a deadline by which every Member State must have put the directive into force, whether by law, regulation or other initiative.
These apply across the EU with the same authority as if they were local laws. Member States may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.
The European Union Agency for Network and Information Security (ENISA) has published guidance to help Member States and DSPs comply. Because DSPs typically offer cross-border services, the guidance in the NIS Directive itself is also of use for DSPs. For instance, Recital 48 explains that:
Many businesses in the Union rely on digital service providers for the provision of their services. As some digital services could be an important resource for their users, including operators of essential services, and as such users might not always have alternatives available, this Directive should also apply to providers of such services.
It goes on to emphasise that:
The security, continuity and reliability of the type of digital services referred to in this Directive are of the essence for the smooth functioning of many businesses. A disruption of such a digital service could prevent the provision of other services which rely on it and could thus have an impact on key economic and societal activities in the Union. Such digital services might therefore be of crucial importance for the smooth functioning of businesses that depend on them and, moreover, for the participation of such businesses in the internal market and cross-border trade across the Union.
Local requirements and guidance can further clarify the requirements for DSPs. Additionally, the EU set out the security measures and incident reporting thresholds for DSPs in more detail in the Implementing Regulation.
This is an extract from A concise introduction to the NIS Directive – A pocket guide for digital service providers
©IT Governance Publishing Ltd
A clear, concise primer on the NIS Directive for DSPs
- The key requirements to achieve compliance;
- DSPs that fall within scope; and
- How compliance is regulated.