10 Things About The Network and Information Security Directive (NIS)

Have you heard about the European Union’s Network and Information Security (NIS) Directive, which is scheduled to enter into member state law in 2018? 
 
Maybe not. Both the world’s attention and appetite for IT security legislation has been overfed with all things General Data Protection Regulation (GDPR) over the past two years, leaving little limelight for its younger sibling.
 
Yet despite slipping under the radar, its requirements will have profound consequences for those it applies to whether they know it or not.
 
Implications of the NIS Directive and GDPR  
The NIS Directive will not apply to all organisations, only to ‘operators of essential services’ in the energy, transport, banking, financial market infrastructures, health sector, water and digital infrastructure sectors.  
 
Broadly, it will require these organisations to implement appropriate security measures, and to notify incidents to the competent authority. However, the specific details will be decided by individual Member States, and have yet to be finalised.    
In contrast, the GDPR will apply to any business, public authority or charity established in the EU that uses information about living individuals, whether employees, customers or suppliers. It will also apply to any business located outside the EU that offers goods and services to citizens in the EU, or monitors citizens’ behaviour in the EU.  
 
GDPR will be brought into national law in the UK by way of the Data Protection Bill, and is intended to continue to apply after the UK leaves the EU.  
 
The legislation imposes a number of standards upon those organisations to which it applies. It specifies that organisations must not only keep personal information secure, but that they have a duty of transparency towards the individuals to whom the information relates. 
 
Below are ten things you should know about the NIS directive, how it differs from the GDPR, its requirements and its application:
 
1. It’s a Directive, not a Regulation
With the noise generated by the GDPR, many will have brushed up on the European law glossaries recently, noting that the NIS is a directive and not a regulation. 
Unlike a regulation, which is absorbed into member state law in its original form, a directive is an instruction to member state governments to implement their own laws in the spirit of the directive. The UK’s outgoing Data Protection Act 1998 was the result of the European Data Protection Directive 1995.
 
2. Brexit Changes Nothing
Much has been made of the UK’s exit from the European Union and how that affects incoming legislation during the negotiation period. 
Like the GDPR, the NIS will begin to affect member states in 2018, before the UK has officially left the EU. Despite the grey area, the government of the UK has confirmed that NIS will be transposed into local law at the expected timeframe despite an uncertain future.
 
3. What is Its Purpose?
The NIS directive aims to improve the cyber-security capabilities at a national level and foster better communication across EU member states. This will involve each member state adopting a national strategy on achieving a high level of cyber-security for networks and information systems across essential services.
 
4. A Focused Scope
The NIS is smaller in its scope than the GDPR and will be applicable to organisations operating in critical verticals, sometimes referred to as CNI (Critical National Infrastructure). This includes energy, transport, banking, financial market infrastructures, health, water, and digital infrastructure. 
 
The NIS categorises two types of target organisations:
 
• Operators of Essential Services – OoESs are to be identified by member states by no later than Q4 2018. They will be determined based on whether the entity provides a service that is essential for the maintenance of critical societal/economic activities, the provision of that service depends on network and information systems, and a security incident would have significant disruptive effects on the provision of the essential service.
• Digital Service Providers – A DSP (Digital Service Provider) is defined as a person or organisation offering a digital service at a distance which could cause widespread disruption if unavailable to an OoES (Operator of Essential Services). Specifically referred to in the NIS directive are online marketplaces, cloud computing services and online search engines.
 
5. Security Obligations and Breach Notifications
Much like the GDPR, there are obligations for OoESs and DSPs to implement “state of the art” technologies to manage the security risks of their networks and systems, with mandatory breach notifications to NCAs (National Competent Authorities) and CSIRTs (Computer Security Incident Response Teams) in the event of an substantial or significant incident.
 
6. Appointment of an/a NCA(s)
The directive requires each member state to designate one or more NCAs (National Competent Authority)that will monitor the application of the NIS at a national level. In the case of multiple NCAs, each NCA will be assigned one or more sectors to achieve a clear jurisdiction. In either case, each member state will need to nominate a SPoE (Single Point of Contact) that will liaise with other member states and CSIRTs on behalf of all NCAs.
 
7. The CSIRTs
Computer Security Incident Response Teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incidents. As with the NCAs, a Member State may designate multiple CSIRTs. 
In addition, the NIS Directive establishes a network of CSIRTs in which each Member State CSIRT must participate. This network’s duties include exchanging information about security incidents and providing member States with support in addressing cross-border incidents.
 
8. Enforcement is Relative
Unlike the GDPR, the ability to punish those who are non-compliant is flexible based on the Member State. The directive allows NCAs to forcibly request information from DSPs and OoESs in order to assess their implementation of NIS and order corrective action. However, when it comes to penalties, it permits member states to develop their own sanctions so long as they are proportionate, effective and dissuasive.
 
9. Extra-Territorial Reach
DSPs and OoESs are deemed to be under the jurisdiction of the NIS directive where their main establishment is. If they are not based in an EU or EEA member state and offer in-scope services, they must still comply with the directive and appoint a representative based in an EU or EEA member state.
 
10. What’s Next?
The directive has set out clear timeframes for Member States to follow. Based on the information available at the time of writing, the directive is expected to be accepted into Member State law by Q2 2018. Once transposed into national law, Member States will have up to six months to identify their local OoESs.
 
NIS VS. GDPR
Considering the timing and its focus on network and information security systems, it is natural to compare the NIS directive and the GDPR. However, the NIS is both narrower and broader than the GDPR in different ways. For example, the NIS directive refers to wider system-level defences and risk mitigation rather than personal information and its relative collection and processing. 
 
Yet it is also directed toward specific organisations, in particular, those that are deemed to perform or provide critical services. In either case, it will be a reality for some that they need to comply with both, a tough task for compliance officers in the coming twenty-four months.
 
It is easy to point at meddling European politicians as introducing reams of red-tape and costly requirements, but we have all seen the consequences of critical services being unavailable. Examples include British Airways computer systems being non-operational for a number of days leading to large-scale disruption and the NHS having to turn away patients because of the WannaCry ransomware outbreak.
 
In today’s world, it not always about how strong your army is, how tough your immigration policy is, or how high you can build a wall. It is about the cyber resilience of those services we all rely on.
 
Silicon:         Tripwire:
 
You Might Also Read: 
 
GDPR - 10 Things You Must Know:
 
The New GDPR Rules Focus On Consumer Protection:
 
European Privacy Directive: Encryption Without Backdoors:
 
« Attacks On UK Critical Infrastructure Will Double
British Banks Are Hiding Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

D-RisQ

D-RisQ

D-RisQ is focussed on delivering techniques to reduce the development costs of complex systems and software whilst maximising compliance

IONU Security

IONU Security

IONU offer a security platform focused specifically on providing Data-centric Security.

Brit

Brit

Brit PLC is a market-leading global specialty insurer and reinsurer, focused on underwriting complex risks including cyber, privacy and technology.

ForgeRock

ForgeRock

ForgeRock, the leader in digital identity, delivers comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world.

Maryman & Associates

Maryman & Associates

Maryman & Associates are specialists in computer forensic investigations, incident response and e-discovery services.

CS Group

CS Group

CS Group offers a complete range of security solutions from consultancy to security maintenance and from secure infrastructure design to security governance.

SANS CyberStart

SANS CyberStart

SANS CyberStart is a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cyber security.

Computest

Computest

Computest security testing services include Mobile app security, Vulnerability assessments, Attack & penetration testing, Security awareness training, Network security assessments.

BigWeb Technologies

BigWeb Technologies

BigWeb Technologies is dedicated to provide its clients with ICT related services including Infrastructure Solutions, Consultancy and Security.

H-ON Consulting

H-ON Consulting

H-ON Consulting develops and applies robust cyber security procedures enabling control systems to be secure.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

Casque SNR

Casque SNR

CASQUE SNR is the next generation of Identity Assurance that has potential to supersede existing solutions. It provides Identity Assurance for both people and things.

Alertot

Alertot

Hackers attack minutes after a new vulnerability is published. Alertot helps to decrease exposure time in organizations by notifying new issues when they are disclosed.

CYOSS

CYOSS

CYOSS, an ESG Group company, is a specialist in Cyber Security and Data Analytics. We focus on the opportunities of a networked world and make security risks manageable.

QAlified

QAlified

QAlified offer independent testing and quality assurance services for software projects including security testing.

Technation

Technation

Technation proudly represents the Canadian technology companies that are furthering our nation and the world into the future through innovation, creativity and ingenuity.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.