In December of 2015, European Union (EU) law makers reached a draft agreement on new cyber security regulations after nearly two years of negotiations. The Network and Information Security (NIS) Directive will increase co-operation between member states and lay down cyber security obligations for operators of Essential Services and Digital Service Providers (DSPs).
The NIS Directive will require qualifying organisations to implement appropriate security measures to protect their networks and data against cyber security incidents and to report serious breaches to regulators. It will certainly affect companies in the UK, barring an EU exit in the summer referendum.
Which organisations will it apply to?
‘Essential Services’ is a broad description which has a NIS Directive definition as:
“An entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, so long as the provision of that service depends on network and information systems and if an incident to the network and information systems of that service would have significant disruptive effects on the provision of those services.”
In practice, Essential Services will mean banks, energy and power network operators, air, road and rail transportation providers, telecommunications companies, health providers, water suppliers, food suppliers and operators of digital infrastructure – to name but a few. This will include some of the largest organisations and many well-known names across Europe.
DSPs are considered by the directive as being providers of an online marketplace:
“A digital service that allows consumers and/or traders to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace.”
This could include online search engine or cloud computing services but not hardware manufacturers and software developers.
The security and incident reporting rules will differ between operators of Essential Services and DSPs, with a lighter touch framework applicable to DSPs.
There is one further caveat to application of the NIS Directive – it won’t apply to all operators of Essential Services or DSPs. So, which ones are exempt?
The directive recognises that (in relation to information and network security):
“Certain sectors of the economy are already regulated or may in the future be regulated by sector-specific Union legal acts.”
This relates mainly to banks and e-commerce companies but will require further definition.
The draft NIS Directive is still to be formally approved by MEPs and European Council in Q2 2016. Following approval, the expected timescales are a 21-month period for each EU country to transpose the directive into its national laws – followed by a six-month period where the Essential Services subject to the directive will be identified.
How can you prepare for it?
Companies that are part of the UK Critical National Infrastructure will be directly impacted by the NIS Directive. Many of these industries have cyber security regulations and best practice guidance already, but some do not, so it could be quite a culture shock.
Organisations potentially in scope of the mandated directive requirements have two years to prepare and our opinion is that they should review their approach to cyber security as a minimum.
Our recommendation is that they should seriously consider getting some form of evidence of their security posture with best practice schemes such as: Cyber Essentials , ISO27001 certification , Cyber Security Model , IASME or 10 Steps to Cyber Security . Ascentor can help with assessments and advice.
In our view, the NIS Directive is a well-intentioned attempt to raise the bar for ‘cyber hygiene’ across the EU with a single approach. This is very positive given the multitude of standards and guidance that abound. However, it has already failed to achieve significant harmonisation with the lack of a single definition of scope.
EU partners have different approaches to implementation, with some countries, such as France and Germany, advocating legislation (Germany introduced draft cyber security legislation in August 2014 ) whilst others, such as the UK, prefer education and awareness and a reliance upon organisations recognising the self-interest aspects.
One of the potential ‘gotchas’ is the requirement for mandatory notifications of security incidents. The details of this have yet to be worked out, but UK companies have already expressed unhappiness over the reporting requirements for the EU General Data Protection Regulations and the response to the NIS Directive may be similar.
There is some comfort that workshops for EU partners are planned to determine the precise cyber security measures to be in the new standard. Of interest is the prospect of audits and sanctions in the event of non-compliance, but these details have yet to be worked through. It will be interesting to see how implementation and effectiveness will be assessed and by whom.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of cyber security,please contact Dave Jamesat Ascentor.
Email: [email protected]
Office: 01452 881712