Originally published in May 2018 just before it entered UK law, this article covers the NIS Directive, also known as NIS (D). We look at what it is, what cyber incidents it is designed to prevent, who it applies to and how to comply.
The Chinese have just celebrated the start of The Year of the Dog. But for anyone with responsibility for data security in their organisation, it’s very much “The Year of Regulation”. You’ll have heard plenty about the General Data Protection Regulation (GDPR), but what about the European Union’s other piece of security legislation, the Network and Information Security (NIS) Directive?
May is going to be a busy month in cyber security, with the NIS Directive being transposed into national law on 9th May, quickly followed by the GDPR on 25th May – as if you needed reminding.
Ascentor first covered the NIS Directive two years ago in February 2016. Back then it was a draft agreement on new EU-wide cyber security regulations after nearly two years of negotiations. We also made the rather prophetic statement that – It will certainly affect companies in the UK, barring an EU exit in the summer referendum.
Well, we are leaving the EU but, just like GDPR, the NIS Directive will enter UK law in 2018 – before the UK has officially left.
So, it’s time to get up to date with the NIS Directive and answer some of the questions you might have about the organisations it applies to and how to comply.
What exactly is the NIS Directive?
The NIS Directive is the first piece of EU-wide legislation on cyber security. EU countries have ever more connected digital networks – but, for many years, cyber security issues were handled at a national level. That created a pretty obvious weak link, which cyber criminals were only too pleased to exploit.
Therefore, the NIS Directive set out to encourage cross-border collaboration between EU member states which, until 29th March 2019, still includes the UK. It also aims to achieve a high level of cyber security for our critical national infrastructure and essential services – thus protecting them from cyber attack.
It will do this through each member state having in place a national framework so that they are equipped to manage cyber security incidents and oversee the application of the Directive. This includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS Competent Authority or Authorities (CAs).
Incidents the NIS Directive is designed to prevent
The cyber threat becomes very real when an organisation we all rely on gets attacked. Just as it did with the NHS and the WannaCry virus – a text book reminder of why protecting these services is so important and exactly the type of attack the NIS Directive is intended to prevent. And not long after our health services were affected, EU transport companies like TNT and Maersk, and a Ukrainian nuclear plant, were disrupted by the NotPetya virus.
Another recent threat to critical infrastructure saw the August 2017 bank holiday grounding of almost the entire BA fleet due to a “power surge”. Although not a cyber attack that time, the chaos saw 75,000 people stranded and cost around £100m – not to mention transport paralysis. The NIS Directive is designed to make sure a similar event doesn’t happen through cyber security vulnerabilities.
So, some powerful examples of why we need the NIS Directive. But how does a Directive differ from a Regulation?
What’s the difference between a “Directive” and a “Regulation” – as in GDPR?
In very brief detail, a Directive is an instruction to member state governments to implement their own laws in the “spirit” of the Directive. So, it’s up to the UK government to interpret and transpose it into our laws. A Regulation comes from EU legislation into individual member law in its original form – there’s no country-by-country variation.
What organisations does it apply to?
Essentially there are two types of organisations:
Operators of Essential Services (OESs)
These are public or private organisations within vital sectors which rely heavily on information networks.
Essential Services will include some of the largest organisations and many well-known names across Europe. They will cover banks, energy and power network operators, air, road and rail transportation providers, telecommunications companies, health providers, water suppliers, food suppliers and operators of digital infrastructure – to name but a few.
An OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority.
Digital Service Providers (DSPs)
These are any legal entity that provides a digital service, including:
- Search engines, online market places and cloud computing services – defined by any company that offers: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Business to Business Software as a Service (SaaS). However, SaaS are included only if the service they are offering is elastic and scalable.
How to comply – cyber resilience and NCSC principles
Article 19 of the Directive states that – Member states should encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
A cyber security programme tailored to meet the needs of an organisation is the way to achieve cyber resilience. OESs and DSPs are required to have applied appropriate and proportional technical and organisational measures by implementing an organisational cyber resilience programme.
Cyber resilience is all about the ability to not only deter and resist attacks – but also to detect and recover from them, returning to normal operation with minimal downtime.
Resilient cyber security will be achieved through a programme tailored to meet the needs of an organisation – ideally this should be based on a realistic assessment of risks and risk appetites. Ascentor has recently covered this topic in our blog article Seven steps to designing a resilient Cyber Security Programme .
NCSC guidance and principles
For the UK, the National Cyber Security Centre (NCSC) published a guide on 28th January 2018, An Introduction to the NIS Directive, as part of its NIS Guidance Collection. As they say themselves (and we agree) – start here if you are in any doubt it is a comprehensive guide with many useful links.
Although the NCSC will have no regulatory role in the NIS Directive, it is providing technical support and guidance through:
- a set of 14 NIS Security Principles for securing essential services – divided into four objectives which are – managing security risk, defending systems against cyber attack, detecting cyber security events and minimising the impact of cyber security incidents.
- a collection of supporting guidance for each principle.
- a Cyber Assessment Framework (CAF) incorporating indicators of good practice.
- implementation guidance and support to CAs who will be responsible for compliance monitoring.
Designated CAs will monitor OESs – compliance through an auditing process to prevent non-compliance. However, DSPs will not be audited, with enforcement being applied to DSPs after an incident has occurred, or if a DSP is reported to the CA as being non-compliant.
A newly developed CAF will provide guidance for assessing organisations against the NCSC’s 14 Security Principles, and will outline the acceptable levels of security under the requirements of the NIS Directive. The CAF is expected to be released in April/May 2018.
Consequences of non-compliance
In the UK, non-compliant organisations may be fined up to £17 million – although there are different considerations that apply to different sectors when deciding the appropriate level. That ceiling figure was set by the UK Government and indeed all EU member states have been required to set their own rules on penalties.
The UK figure came from the UK Government in response to a public consultation in January 2018 to outline plans to facilitate NIS Directive compliance. The level of fine will be assessed by the CA.
How Ascentor can help
Organisations can start to build a level of cyber resilience by following the 7 steps in our blog on the topic as mentioned above.
In addition, in advance (and regardless of) the NIS Directive, organisations should seriously consider getting some form of evidence of their security posture through best practice schemes such as: Cyber Essentials, ISO27001 certification, and IASME, the information and cyber security standard for SMEs. While larger organisations may already be following the ISF Standard of Good Practice .
Organisations using or offering services in the cloud should consider: NCSCs 14 Cloud Security Principles (which are different from the 14 NIS Security Principles) and the Cloud Security Alliances Cloud Controls Matrix .
However, the only way to meet the NIS Principles is to follow the guidance for each – and, as there are 14 – you may welcome some help.
Ascentor can help you assess your security maturity using any of these schemes as a baseline by conducting a Gap Analysis exercise. If you are not sure which scheme is the best start point, we offer a Risk Review service to establish your own baseline. In either case, we conclude with recommendations; where we recommend remediation, we can help you to plan and implement the remediation action and provide ongoing support.
For further information
If you’d like to discuss how our consultants can advise on any aspect of Information Assurance and cyber security, please contact Dave James, MD at Ascentor.