The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) OES (operators of essential services) and DSPs (digital service providers), and focuses on network and information systems critical for service availability within the EU in order to protect the Union’s critical infrastructure and economies.
Consequences for non-compliance
Member states are required to set their own rules on financial penalties and must take the measures necessary to ensure they are enforced.
The Directive states that these must be “effective, proportionate and dissuasive”, but the exact figures vary per member state. In the UK, for example, non-compliant organisations may be fined up to £17 million.
Get in touch today to discuss how you can prepare for compliance
Who must comply with the NIS Directive requirements?
The Directive applies to OES that are established in the EU and DSPs that offer their services within the EU.
The Directive does not apply to DSPs that are considered small or micro businesses (organisations employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
Download our free green paper to find out how you can prepare for compliance
What is an OES?
The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on ICT (information and communications technology). Certain businesses operating in critical industries are known as OES.
The NIS Directive applies to the following sectors:
- Drinking water supply and distribution
- Digital infrastructure
- Financial market infrastructures
Note that the exact sectors can differ per member state.
What is a DSP?
The NIS Directive lists the following categories of DSP:
Cloud computing services
Organisations that provide “a digital service that enables access to a scalable and elastic pool of shareable computing resources” (Recital 19).
Organisations that provide “a digital service that allows consumers and/or traders [...] to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace” (Recital 17).
Organisations that provide “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found” (Recital 18).
The Commission’s Implementing Regulation and ENISA’s guidance for DSPs
The Implementation Regulation provides further clarity for DSPs on how they will be expected to comply with the NIS Directive.
ENISA (European Union Agency for Network and Information Security) has also provided “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers”, which describes 27 security objectives DSPs are advised to take into consideration in their compliance projects.
How to achieve compliance with the NIS Directive
The best approach to achieving compliance is for DSPs and OES to implement a cyber resilience programme that incorporates measures for information security, business continuity and incident response.
International standards such as ISO 27001, ISO 27035 and ISO 22301 serve as ideal frameworks for achieving NIS Directive compliance.
The implementation of business continuity management, penetration testing and cyber incident response (CIR) management can help organisations achieve a heightened level of cyber resilience and help facilitate compliance with the NIS Directive.
Contact us today to start assessing your compliance needs
NIS Directive Gap Analysis for DSPs
Conducted by cyber security experts, the NIS Directive Gap Analysis highlights the shortcomings between a DSP’s information security arrangements and the requirements of the NIS Directive and Implementing Regulation. Speak to us today for a free, no obligation quote.