Network and Information Security Directive
The Network and Information Security (NIS) Directive (Directive (EU) 2016/1148) aims to achieve a high common level of network and information systems security across the European Union in three ways:
- 1. Improving cyber security capabilities at the national level.
- 2. Increasing cooperation on cyber security among EU member states.
- 3. Introducing security measures and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) and digital service providers (DSPs).
View the PDF version of the NIS Directive (2016/1148).
Speak to an expert
The NIS Directive was adopted by the European Parliament on 6 July 2016, and entered into force in August 2016. EU member states have until May 2018 to translate it into national laws, and a further six months to identify the OESs and DSPs to which it applies.
The NIS Directive sets out security requirements and incident notification rules for DSPs that are different from those that apply to OESs.
Consequences for non-compliance with the NIS Directive
Member States are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented. It is likely that Member States will implement tough penalties similar to that of the GDPR (General Data Protection Regulation).
A consultation document has been released to outline the UK Government’s plans to facilitate NIS Directive compliance.
One way of monitoring compliance may be through routine audits of OESs. DSPs may not face these types of audits due to a ‘light touch’ approach proposed by the NIS Directive, whereby enforcement can only be applied to DSPs after an incident has occurred, or if a company is reported to the competent authority to be non-compliant.
The NIS Directive compliance scope: who must comply?
The NIS Directive applies to OESs that are established in the EU and DSPs that offer services to persons within the EU. The Directive does not apply to hardware and software developers or digital service providers that are considered small and micro businesses. (Companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
What is an Operator of Essential Services (OES)?
The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communication and technology (ICT). Certain businesses operating in critical industries are known as OESs.
OESs are public or private entities that meet all of the following criteria:
- The operator provides a service that is essential to society and the economy.
- The service rendered depends on network and information systems.
- An incident to the network and information systems of that service would have significant effects on its provision.
Each member state must identify the OESs by November 2018.
The sectors affected by the NIS Directive are:
- Banking and financial market infrastructures;
- Healthcare; and
- Digital infrastructure.
What is a Digital Service Provider (DSP)?
The NIS Directive applies to the following key DSPs that normally provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The onus is on online companies to determine for themselves whether they are DSPs and are subject to the Directive’s security and notification requirements.
DPSs can be categorised as the following organisations:
- Search engines.
- Cloud computing services.
- Online marketplaces.
Security and incident reporting measures under the NIS Directive
The NIS Directive does not provide an overly prescriptive security regime or protocol. Those subject to the Directive are instead required to adopt “appropriate and proportionate technical and organisational measures” to achieve compliance.
Article 44 states that a culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks, should be promoted and developed.
Not only cyber security risks
The NIS incident reporting requirements are not limited to “cybersecurity” incidents: any incident affecting the security of the network and information systems used for provision of the essential services may be reportable. These include power failures, environmental hazards, hardware failures, cyber attacks, malware, intrusions and viruses.
The NIS Directive does not specify a timeframe for the reporting of incidents, only stating that operators need to notify about an incident “without undue delay”. Member states may adopt their own reporting requirements.
International standards such as ISO 27001 and ISO 22301 are based on the outcomes of risk assessments and serve as ideal frameworks for achieving NIS Directive compliance.
In fact, Article 19 mentions that compliance with international standards is encouraged.
The NIS Directive requires OESs and DSPs to:
- Take appropriate technical and organisational measures to secure their network and information systems;
- Take into account the latest developments and consider the potential risks facing the systems;
- Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
- Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
Specific compliance requirements for DSPs:
DSPs are required to ensure a level of security appropriate to the risk posed in offering covered services, considering the following elements:
- Security systems and facilities.
- Incident handling.
- Business continuity management.
- Monitoring, auditing and testing.
- Compliance with international standards.
The Directive provides only a sketchy description of the minimum security measures required for DSPs, so ENISA has produced extra guidance for DSPs. Download technical guidance for DSPs here.
Incident notification rules for DSPs
The European Commission will set a framework for incident reporting for DSPs under NIS, in cooperation with Member States. This framework has not yet been set and the European Commission will produce an Implementing Act establishing this framework by 9 August 2017.
The NIS Directive and the GDPR
Guidance provided by ENISA warns of potential overlaps between the incident reporting requirements of the NIS Directive and the data breach notification rules of the General Data Protection Regulation (GDPR). DSPs could have to report the same data breach incidents to different authorities under the NIS Directive and the GDPR.
What should be done to achieve NIS Directive compliance?
The best approach to achieve compliance is for DSPs and OESs to implement a cyber resilience programme that incorporates the following:
- Robust cyber security defences.
- Adequate cyber risk preventative measures.
- Appropriate tools and systems to deal with and report incidents and data breaches.
Achieving compliance through cyber resilience
Article 19 of the NIS Directive encourages the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
By adopting two leading international standards on information security and business continuity management, your organisation will have taken the appropriate technical and organisational measures to manage its risks and prevent the impact of incidents affecting the security of the network and information systems. This can be done through a cyber resilient approach based on ISO 27001 and ISO 22301.
ISO 27001: the best-practice standard for information security
ISO 27001 is the internationally recognised best-practice standard that lays out the requirements of an information security management system (ISMS) and forms the backbone of every intelligent cyber security risk management strategy.
ISO 22301: the best-practice standard for business continuity
Effective business continuity management means an organisation can resume operations and return to ‘business as usual’ as quickly as possible after a disruptive incident. A business continuity management system (BCMS) is a comprehensive approach to organisational resilience. It helps organisations to update, control and deploy effective plans, taking into account contingencies, capabilities and business needs.
ISO/IEC 22301 sets out the requirements for a BCMS that incorporates disaster recovery and is considered the only credible framework for effective business continuity management in the world.
Adopting an integrated approach for cyber resilience
NIS Directive compliance will be achievable by adopting an integrated management system that incorporates ISO 27001 and ISO 22301. It will help your organisation achieve an internationally accepted posture of cyber resilience based on risk management best practice – exactly as the new legislation requires – and remove the burden of multiple compliance audits.
Why IT Governance?
- We deliver the entire suite of consultancy, training and tools needed for NIS compliance.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS compliance and manage the project from start to finish.
- As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
- We’re independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives.
- We have multi-disciplinary teams who can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
- We offer clear and transparent pricing.
Let’s work together to get things moving
Whatever the nature or size of your problem we are here to help. Click the button below to request a call. One of our experts will get in touch as soon as possible.
Speak to an expert
Please contact us for further information or to speak to an expert.