The Directive on security of network and information systems (NIS Directive) aims to achieve a high common level of network and information systems security across the EU.
The Directive applies to two groups. The first, operators of essential services (OES), includes the health, energy, water and transportation sectors. The second, digital service providers (DSPs), covers online search engines, Cloud computing services and online marketplaces.
EU member states have until 9 May 2018 to transpose the NIS Directive into national law. They have until November 2018 to identify which OES are within the Directive’s scope.
The NIS Directive’s requirements
Both OES and DSPs must:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Account for the latest developments and consider the potential risks facing their systems;
- Take appropriate measures to prevent and minimise the impact of security incidents and to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident that has a significant impact on service continuity.
There are also separate requirements for OES and DSPs. The UK’s National Cyber Security Centre (NCSC) has outlined 14 high-level security principles that all OES are expected to comply with, and the European Commission sets out the security measures and incident reporting thresholds for DSPs in more detail.
Consequences of failing to comply
Each EU member state is responsible for enforcing the NIS Directive, after transposing it into national law, and setting its own rules on disciplinary action for non-compliance. It’s likely that most will adopt a structure similar to that of the EU General Data Protection Regulation (GDPR), in which the maximum penalty is €20 million.
The level of fine will be assessed by the competent authority, and can vary between sectors.
Want to know more?
Our free NIS Directive compliance guide goes into more detail about the Directive and what organisations need to do to meet its requirements. It covers:
- The six essential sectors that must comply;
- Which DSPs are covered and which are excluded;
- The functions of the proposed CSIRTs Network;
- Organisations’ risk management and incident reporting obligations; and
- How adopting cyber resilience helps organisations meet the Directive’s requirements.