The EU Directive on the security of Networks and Information Systems – known as the NIS Directive or NIS (D), entered UK law on 9th May 2018. It encourages better cross-border collaboration to improve the EU’s preparedness for a cyberattack on network and information systems within essential services and critical national infrastructure.
NIS (D) applies to two types of organisation. Operators of Essential Services (OESs) – the major public or private organisations that rely heavily on information networks such as banks, energy providers and network operators and Digital Service Providers (DSPs) – any legal entity that provides a digital service if it is elastic and scalable, such as search engines, online market places and cloud computing services.
OESs and DSPs are required to have applied appropriate and proportional security measures to manage risks to their network and information systems.
There are penalties up to £17m for organisations that suffer a cyberattack and cannot demonstrate that they have the most robust safeguards in place.
Serious incidents will need to be reported as soon as they happen to an appointed competent authority who will assess whether appropriate security measures were in place. In the UK, this is the National Cyber Security Centre (NCSC). Although their role is not regulatory, the NCSC will have the power to issue legally binding instructions to improve security and – if appropriate – impose financial penalties.
For the UK, the NCSC published its latest guide on 19th July 2018, An Introduction to the NIS Directive, as part of its NIS Guidance Collection. It is a comprehensive guide with many useful links and includes the final version of the Cyber Assessment Framework (CAF) consisting of a collection of Indicators of Good Practice.
Organisations can start to build a level of cyber resilience by following the recommendations within Ascentor’s blog Seven steps to designing a resilient Cyber Security Programme.
Ascentor can steer you through what is needed to become NIS (D) compliant. Setting the CAF as the baseline, we use our tried and tested Gap Analysis, a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.
On completion of an Ascentor Gap Analysis, you will understand where you are today, what needs to be done and an outline plan of how to achieve it. We can then support identified remediation activities and provide ongoing support to maintain your status and continually improve your cyber security posture in accordance with your business objectives.