10 Things About The Network and Information Security Directive (NIS)

 

 

 

The NIS Directive will not apply to all organisations, only to ‘operators of essential services’ in the energy, transport, banking, financial market infrastructures, health sector, water and digital infrastructure sectors.  

 

Broadly, it will require these organisations to implement appropriate security measures, and to notify incidents to the competent authority. However, the specific details will be decided by individual Member States, and have yet to be finalised.    

In contrast, the GDPR will apply to any business, public authority or charity established in the EU that uses information about living individuals, whether employees, customers or suppliers. It will also apply to any business located outside the EU that offers goods and services to citizens in the EU, or monitors citizens’ behaviour in the EU.  

 

 

The legislation imposes a number of standards upon those organisations to which it applies. It specifies that organisations must not only keep personal information secure, but that they have a duty of transparency towards the individuals to whom the information relates. 

 

 

With the noise generated by the GDPR, many will have brushed up on the European law glossaries recently, noting that the NIS is a directive and not a regulation. 

Unlike a regulation, which is absorbed into member state law in its original form, a directive is an instruction to member state governments to implement their own laws in the spirit of the directive. The UK’s outgoing Data Protection Act 1998 was the result of the European Data Protection Directive 1995.

 

Much has been made of the UK’s exit from the European Union and how that affects incoming legislation during the negotiation period. 

Like the GDPR, the NIS will begin to affect member states in 2018, before the UK has officially left the EU. Despite the grey area, the government of the UK has confirmed that NIS will be transposed into local law at the expected timeframe despite an uncertain future.

 

The NIS directive aims to improve the cyber-security capabilities at a national level and foster better communication across EU member states. This will involve each member state adopting a national strategy on achieving a high level of cyber-security for networks and information systems across essential services.

 

The NIS is smaller in its scope than the GDPR and will be applicable to organisations operating in critical verticals, sometimes referred to as CNI (Critical National Infrastructure). This includes energy, transport, banking, financial market infrastructures, health, water, and digital infrastructure. 

 

 

• Operators of Essential Services – OoESs are to be identified by member states by no later than Q4 2018. They will be determined based on whether the entity provides a service that is essential for the maintenance of critical societal/economic activities, the provision of that service depends on network and information systems, and a security incident would have significant disruptive effects on the provision of the essential service.

• Digital Service Providers – A DSP (Digital Service Provider) is defined as a person or organisation offering a digital service at a distance which could cause widespread disruption if unavailable to an OoES (Operator of Essential Services). Specifically referred to in the NIS directive are online marketplaces, cloud computing services and online search engines.

 

Much like the GDPR, there are obligations for OoESs and DSPs to implement “state of the art” technologies to manage the security risks of their networks and systems, with mandatory breach notifications to NCAs (National Competent Authorities) and CSIRTs (Computer Security Incident Response Teams) in the event of an substantial or significant incident.

 

The directive requires each member state to designate one or more NCAs (National Competent Authority)that will monitor the application of the NIS at a national level. In the case of multiple NCAs, each NCA will be assigned one or more sectors to achieve a clear jurisdiction. In either case, each member state will need to nominate a SPoE (Single Point of Contact) that will liaise with other member states and CSIRTs on behalf of all NCAs.

 

Computer Security Incident Response Teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incidents. As with the NCAs, a Member State may designate multiple CSIRTs. 

In addition, the NIS Directive establishes a network of CSIRTs in which each Member State CSIRT must participate. This network’s duties include exchanging information about security incidents and providing member States with support in addressing cross-border incidents.

 

Unlike the GDPR, the ability to punish those who are non-compliant is flexible based on the Member State. The directive allows NCAs to forcibly request information from DSPs and OoESs in order to assess their implementation of NIS and order corrective action. However, when it comes to penalties, it permits member states to develop their own sanctions so long as they are proportionate, effective and dissuasive.

 

DSPs and OoESs are deemed to be under the jurisdiction of the NIS directive where their main establishment is. If they are not based in an EU or EEA member state and offer in-scope services, they must still comply with the directive and appoint a representative based in an EU or EEA member state.

 

The directive has set out clear timeframes for Member States to follow. Based on the information available at the time of writing, the directive is expected to be accepted into Member State law by Q2 2018. Once transposed into national law, Member States will have up to six months to identify their local OoESs.

 

Considering the timing and its focus on network and information security systems, it is natural to compare the NIS directive and the GDPR. However, the NIS is both narrower and broader than the GDPR in different ways. For example, the NIS directive refers to wider system-level defences and risk mitigation rather than personal information and its relative collection and processing. 

 

Yet it is also directed toward specific organisations, in particular, those that are deemed to perform or provide critical services. In either case, it will be a reality for some that they need to comply with both, a tough task for compliance officers in the coming twenty-four months.

 

It is easy to point at meddling European politicians as introducing reams of red-tape and costly requirements, but we have all seen the consequences of critical services being unavailable. Examples include British Airways computer systems being non-operational for a number of days leading to large-scale disruption and the NHS having to turn away patients because of the WannaCry ransomware outbreak.

 

 

Silicon:         Tripwire:

 

 

GDPR - 10 Things You Must Know:

 

The New GDPR Rules Focus On Consumer Protection:

 

European Privacy Directive: Encryption Without Backdoors: