Although much of the focus in 2018 has been on ensuring compliance with the EU GDPR (General Data Protection Regulation), another EU directive became law in May: the NIS Directive (Directive on security of network and information systems).
What is the NIS Directive?
The NIS Directive aims to ensure the availability of systems and networks for organizations in sectors where a disruption to service could have a detrimental impact on the economy and/or society at large. This includes those in critical infrastructure sectors.
With the many threats facing critical infrastructure organizations, ranging from cyber attacks to human error and natural disasters, it’s crucial that businesses understand what the Directive means for them.
In March 2018, a ransomware attack hit the city of Atlanta. This locked away important files and hackers demanded approximately $50,000 in bitcoin. Following the incident, Atlanta residents couldn’t do simple tasks like paying parking tickets or utility bills. The NIS Directive aims to minimize this sort of chaos.
Who does it apply to?
The NIS Directive applies to two different categories of organizations that do business in the EU:
- OES (operators of essential services)
Most US-based OES are generally out of scope, but any EU-based subsidiaries need to comply.
- DSPs (digital service providers)
Most DSPs need to comply, as their services are likely to be used across borders – there is, after all, no need for a physical presence.
DSPs that employ fewer than 50 people and with annual revenues and/or a balance sheet total less than €10 million (approximately $11.8 million) are exempt from the NIS Directive.
What are the consequences for non-compliance?
Most digital services are supplied across borders and throughout the EU, so DSPs must comply. Much like the GDPR, complaints will be registered with the relevant authorities in EU member states, which may take action against the non-compliant organization.
Such actions could include handing out fines. The Directive says that these must be “effective, proportionate and dissuasive”, but the exact figures vary per member state.
What must organizations do to comply?
Because of their cross-border nature, DSPs have uniform compliance requirements across the EU in the form the Implementing Regulation which took effect May 10, 2018.
ENISA (the European Union Agency for Network and Information Security) has also provided “Technical Guidelines for the implementing of minimum security measures for Digital Service Providers”.
When do organizations need to comply?
DSPs face a ‘lighter touch’ approach than OES, and won’t face regular audits, but could face an audit if they are suspected of being non-compliant.
What can organizations do now?
IT Governance’s NIS Directive Gap Analysis will assess the gaps in your current cybersecurity arrangements against the Implementation Regulation and ENISA’s technical guidance for DSPs, providing you with a clear roadmap to compliance.