What is the NIS Directive?
The EU’s NIS Directive (Directive on security of network and information systems) is the first piece of EU-wide cybersecurity legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure.
Who must comply with the NIS Directive?
The Directive apply to:
- OES (operators of essential services) including organizations in the energy, transport, banking, financial, health, distribution, and digital infrastructure sectors. However, note that the exact sectors can differ per member state. For instance, banking and financial market infrastructures are exempt in the UK.
- DSPs (digital service providers), which are divided into three groups: online search engines, online marketplaces and Cloud computing services.
Most DSPs need to comply, as their services are likely to be used across borders – there is, after all, no need for a physical presence. Those not headquartered in the EU need to designate, in writing, a representative in the EU, so it can fall under the jurisdiction of that member state.
Most US-based OES are potentially out of scope, but any EU-based subsidiaries need to comply.
Speak to an expert
Get in touch with one of our experts for more information about NIS compliance, and the products and service we can offer to assist your compliance joureny.
Consequences for non-compliance with the NIS Directive
The Directive was due to be transposed into member states’ national laws by May 9, 2018 and enforced from May 10, 2018. Not every member state has (fully) implemented the Directive. Even so, DSPs must comply.
As mentioned, because of their digital nature, their services will be used across borders and throughout the EU. As such, complaints could be launched to the supervisory authority in those member states, which may take action against the non-compliant organization.
Such action could include handing out fines. The Directive says that these must be “effective, proportionate and dissuasive”, but the exact figures vary per member state. As an example, the UK may fine non-compliant organizations up to £17 million (about $22 million).
What are the NIS Directives’ requirements for OES and DSPs?
OES and DSPs must:
- Secure their network and information systems by taking technical and organizational measures appropriate to the risk
- Ensure service continuity by taking appropriate measures to prevent and minimise the impact of any incidents
- Notify their regulator of any security incident that has a significant impact
An Implementing Regulation, which took effect on May 10, 2018, provides further clarity for DSPs on how they are expected to comply with the NIS Directive. This EU-wide implementing regulation has the same weight as a local law. As such, DSPs need to comply, irrespective of which member state they register with and regardless of the fact that not every member state has enforced the Directive locally yet.
ENISA (European Union Agency for Network and Information Security) has provided “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers,” which describes 27 security objectives.
Incident reporting measures under the NIS Regulations
Comparable to breaches under the GDPR (General Data Protection Regulation) and California Consumer Privacy Act (CCPA), organizations must report “significant” or “substantial” incidents to their competent authority without undue delay and, where feasible, no later than 72 hours after having become aware of them.
Audits under the NIS Directive
OES’ compliance with the NIS Directive will be monitored through audits conducted by the designated competent authorities.
As DSPs typically face a lower level of risk than OES, they also have lighter security requirements. In line with this, they will not be audited on a regular basis, but will be subject to investigations if the competent authority suspects non-compliance – most notably, after an incident.
The lack of immediate supervision could result in DSPs forgetting to keep or even generate evidence that they do comply, stressing the importance of not only achieving and maintaining compliance but also ensuring you can prove it. The lighter requirements do not imply lighter penalties.
How to achieve compliance with the NIS Directive
An excellent approach for OES and DSPs to achieve compliance is to implement a cyber resilience program that incorporates:
- Robust cybersecurity defences that are appropriate to the risk
- Appropriate tools and systems for dealing with and reporting incidents efficiently.
International standards such as ISO 27001 and ISO 27035 serve as ideal frameworks for achieving NIS Directive compliance. In fact, Section 12 of the Directive says that the measures DSPs adopt must take “compliance with international standards” into account.
The implementation of business continuity management, penetration testing, and cyber incident response management can help organizations achieve a heightened level of cyber resilience and help facilitate compliance with the NIS Directive.