10 Things About The Network and Information Security Directive (NIS)

Have you heard about the European Union’s Network and Information Security (NIS) Directive, which is scheduled to enter into member state law in 2018? 
 
Maybe not. Both the world’s attention and appetite for IT security legislation has been overfed with all things General Data Protection Regulation (GDPR) over the past two years, leaving little limelight for its younger sibling.
 
Yet despite slipping under the radar, its requirements will have profound consequences for those it applies to whether they know it or not.
 
Implications of the NIS Directive and GDPR  
The NIS Directive will not apply to all organisations, only to ‘operators of essential services’ in the energy, transport, banking, financial market infrastructures, health sector, water and digital infrastructure sectors.  
 
Broadly, it will require these organisations to implement appropriate security measures, and to notify incidents to the competent authority. However, the specific details will be decided by individual Member States, and have yet to be finalised.    
In contrast, the GDPR will apply to any business, public authority or charity established in the EU that uses information about living individuals, whether employees, customers or suppliers. It will also apply to any business located outside the EU that offers goods and services to citizens in the EU, or monitors citizens’ behaviour in the EU.  
 
GDPR will be brought into national law in the UK by way of the Data Protection Bill, and is intended to continue to apply after the UK leaves the EU.  
 
The legislation imposes a number of standards upon those organisations to which it applies. It specifies that organisations must not only keep personal information secure, but that they have a duty of transparency towards the individuals to whom the information relates. 
 
Below are ten things you should know about the NIS directive, how it differs from the GDPR, its requirements and its application:
 
1. It’s a Directive, not a Regulation
With the noise generated by the GDPR, many will have brushed up on the European law glossaries recently, noting that the NIS is a directive and not a regulation. 
Unlike a regulation, which is absorbed into member state law in its original form, a directive is an instruction to member state governments to implement their own laws in the spirit of the directive. The UK’s outgoing Data Protection Act 1998 was the result of the European Data Protection Directive 1995.
 
2. Brexit Changes Nothing
Much has been made of the UK’s exit from the European Union and how that affects incoming legislation during the negotiation period. 
Like the GDPR, the NIS will begin to affect member states in 2018, before the UK has officially left the EU. Despite the grey area, the government of the UK has confirmed that NIS will be transposed into local law at the expected timeframe despite an uncertain future.
 
3. What is Its Purpose?
The NIS directive aims to improve the cyber-security capabilities at a national level and foster better communication across EU member states. This will involve each member state adopting a national strategy on achieving a high level of cyber-security for networks and information systems across essential services.
 
4. A Focused Scope
The NIS is smaller in its scope than the GDPR and will be applicable to organisations operating in critical verticals, sometimes referred to as CNI (Critical National Infrastructure). This includes energy, transport, banking, financial market infrastructures, health, water, and digital infrastructure. 
 
The NIS categorises two types of target organisations:
 
• Operators of Essential Services – OoESs are to be identified by member states by no later than Q4 2018. They will be determined based on whether the entity provides a service that is essential for the maintenance of critical societal/economic activities, the provision of that service depends on network and information systems, and a security incident would have significant disruptive effects on the provision of the essential service.
• Digital Service Providers – A DSP (Digital Service Provider) is defined as a person or organisation offering a digital service at a distance which could cause widespread disruption if unavailable to an OoES (Operator of Essential Services). Specifically referred to in the NIS directive are online marketplaces, cloud computing services and online search engines.
 
5. Security Obligations and Breach Notifications
Much like the GDPR, there are obligations for OoESs and DSPs to implement “state of the art” technologies to manage the security risks of their networks and systems, with mandatory breach notifications to NCAs (National Competent Authorities) and CSIRTs (Computer Security Incident Response Teams) in the event of an substantial or significant incident.
 
6. Appointment of an/a NCA(s)
The directive requires each member state to designate one or more NCAs (National Competent Authority)that will monitor the application of the NIS at a national level. In the case of multiple NCAs, each NCA will be assigned one or more sectors to achieve a clear jurisdiction. In either case, each member state will need to nominate a SPoE (Single Point of Contact) that will liaise with other member states and CSIRTs on behalf of all NCAs.
 
7. The CSIRTs
Computer Security Incident Response Teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incidents. As with the NCAs, a Member State may designate multiple CSIRTs. 
In addition, the NIS Directive establishes a network of CSIRTs in which each Member State CSIRT must participate. This network’s duties include exchanging information about security incidents and providing member States with support in addressing cross-border incidents.
 
8. Enforcement is Relative
Unlike the GDPR, the ability to punish those who are non-compliant is flexible based on the Member State. The directive allows NCAs to forcibly request information from DSPs and OoESs in order to assess their implementation of NIS and order corrective action. However, when it comes to penalties, it permits member states to develop their own sanctions so long as they are proportionate, effective and dissuasive.
 
9. Extra-Territorial Reach
DSPs and OoESs are deemed to be under the jurisdiction of the NIS directive where their main establishment is. If they are not based in an EU or EEA member state and offer in-scope services, they must still comply with the directive and appoint a representative based in an EU or EEA member state.
 
10. What’s Next?
The directive has set out clear timeframes for Member States to follow. Based on the information available at the time of writing, the directive is expected to be accepted into Member State law by Q2 2018. Once transposed into national law, Member States will have up to six months to identify their local OoESs.
 
NIS VS. GDPR
Considering the timing and its focus on network and information security systems, it is natural to compare the NIS directive and the GDPR. However, the NIS is both narrower and broader than the GDPR in different ways. For example, the NIS directive refers to wider system-level defences and risk mitigation rather than personal information and its relative collection and processing. 
 
Yet it is also directed toward specific organisations, in particular, those that are deemed to perform or provide critical services. In either case, it will be a reality for some that they need to comply with both, a tough task for compliance officers in the coming twenty-four months.
 
It is easy to point at meddling European politicians as introducing reams of red-tape and costly requirements, but we have all seen the consequences of critical services being unavailable. Examples include British Airways computer systems being non-operational for a number of days leading to large-scale disruption and the NHS having to turn away patients because of the WannaCry ransomware outbreak.
 
In today’s world, it not always about how strong your army is, how tough your immigration policy is, or how high you can build a wall. It is about the cyber resilience of those services we all rely on.
 
Silicon:         Tripwire:
 
You Might Also Read: 
 
GDPR - 10 Things You Must Know:
 
The New GDPR Rules Focus On Consumer Protection:
 
European Privacy Directive: Encryption Without Backdoors:
 
« Attacks On UK Critical Infrastructure Will Double
British Banks Are Hiding Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Pluralsight

Pluralsight

Pluralsight helps enterprises build technology skills at scale with expert-authored courses on today’s most important technologies including information and cyber security.

Skybox Security

Skybox Security

Skybox combines firewall and network device data with vulnerability and threat intelligence, putting security decisions in your unique network context.

Secure Source

Secure Source

Secure Source specialise in search and recruitment for Cyber Security and Security Cleared markets.

InfoWatch

InfoWatch

InfoWatch solutions allow you to protect data and information assets that are critically important to your business.

ClickDatos

ClickDatos

ClickDatos specializes in consulting, auditing, data protection training, accredited by ISO/IEC 27001 certification.

SecuPi

SecuPi

SecuPi delivers data-centric security with data-flow discovery, real-time monitoring, behavior analytics, and protection across web and enterprise applications and big data environments.

Echoworx

Echoworx

Echoworx primary and exclusive focus is providing organizations with secure email services.

Xilinx

Xilinx

Xilinx is the inventor of the FPGA, programmable SoCs, and now, the ACAP. We are building the Adaptable, Intelligent World.

Symantec

Symantec

Symantec delivers data-centric hybrid security for the largest, most complex organizations in the world – on devices, in private data centers, and in the cloud.

Envieta

Envieta

Envieta is a leader in cryptographic solutions. From server to sensor, we design and implement powerful security into new or existing infrastructure.

SecureNation

SecureNation

SecureNation offers a wide variety of cutting-edge technologies and IT services to address almost any of your information security, network security and information assurance needs.

Active Countermeasures

Active Countermeasures

Active Countermeasures believe in giving back to the security community. We do this through free training, thought leadership, and both open source and affordable commercial tools.

Titan Labs

Titan Labs

Titan Labs is a Cyber Security Consultancy that provides advice and technical expertise to government, international finance and telecommunications providers.

Flat6Labs

Flat6Labs

Flat6Labs is the MENA region’s leading seed and early stage venture capital firm, currently running the most renowned startup programs in the region.

SYN Ventures

SYN Ventures

SYN Ventures invests in disruptive, transformational solutions that reduce technology risk.

Hydden

Hydden

Hydden gives security teams the ability to create a solid foundation to build a truly next-gen identity security practice by bridging the gaps between siloed teams and technologies.