The Directive on Security of Network and Information Systems (NIS Directive)
The NIS Directive compliance scope: who must comply?
The Directive applies to:
- Operators of Essential Services (OESs) that are established in the EU, and
- Digital Service Providers (DSPs) that offer services to persons within the EU 1.
1The Directive does not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
The NIS Directive requires OESs and DSPs to:
- Take appropriate technical and organisational measures to secure their networks and information systems;
- Take into account the latest developments and consider potential risks facing their systems;
- Take appropriate measures to prevent security incidents, or at least minimise impact to ensure service continuity; and
- Notify the relevant competent authority of any security incident having a significant impact on service continuity without undue delay.
Consequences for non-compliance with the NIS Directive
Member States are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented. It is likely that Member States will implement tough penalties similar to that of the GDPR (General Data Protection Regulation).
Compliance may be monitored through routine audits of OESs.
What is an Operator of Essential Services (OES)?
The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communications technology (ICT). Certain businesses operating in critical industries are known as OESs.
The sectors affected by the NIS Directive are:
- Digital infrastructure;
- Banking and financial market infrastructures;
- Healthcare; and
What is a Digital Service Provider (DSP)?
The NIS Directive applies to the following key DSPs that normally provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.
DPSs can be categorised as the following organisations:
- Search engines.
- Cloud computing services.
- Online marketplaces.
Specific compliance requirements for DSPs:
The Directive states that DSPs “remain free to take technical and organisational measures they consider appropriate and proportionate to manage the risks”, as long as the measures provide an “appropriate level of security” and factor in the NIS Directive’s requirements.
DSPs are required to ensure a level of security appropriate to the risk posed in offering covered services, considering the following elements:
- The security of systems and facilities
- Incident handling
- Business continuity management
- Monitoring, auditing and testing
- Compliance with international standards
The Commission’s Implementing Regulation for DSPs
An Implementation Regulation provides further clarity for DSPs on how they will be expected to comply with the NIS Directive.
In addition to information security and business continuity measures, DSPs need to establish incident response measures based on an assessment of the incident’s severity.
The Implementation Regulation will take effect from 10 May 2018, and will apply to all EU member states.
Enquire about our Incident Response Management Training course
What should be done to achieve NIS Directive compliance?
The best approach to achieve compliance is for DSPs and OESs to implement a cyber resilience programme that incorporates the following:
- Robust cyber security defences.
- Adequate cyber risk preventative measures.
- Appropriate tools and systems to deal with and report incidents.
Achieving compliance through cyber resilience
Article 19 of the NIS Directive encourages the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
NIS Directive compliance will be achievable by adopting an integrated management system that incorporates ISO 27001 and ISO 22301. It will help your organisation achieve an internationally accepted posture of cyber resilience
based on risk management best practice – exactly as the new legislation requires – and remove the burden of multiple compliance audits.
Download the compliance guide
Why IT Governance?
Speak to an expert
- We deliver the entire suite of consultancy, training and tools needed for NIS Directive compliance.
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for compliance and manage the project from start to finish.
- As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
- We’re independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives.
- We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
- We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
- We offer clear and transparent pricing.