The EU’s NIS Directive (Directive on security of network and information systems)
The EU’s NIS Directive (Directive on security of network and information systems) aims to achieve a high, common level of network and information systems security across the EU, and focuses on systems critical for service availability in order to protect the Union’s critical infrastructure and economies.
Click here to speak to an NIS Directive expert >>
Who must comply with the NIS Directive?
There are two main groups within scope, assuming they offer their services in the EU:
- DSPs (digital service providers)1
- OES (operators of essential services)
Most DSPs need to comply, as their services are likely to be used across borders – there is, after all, no need for a physical presence. Those not headquartered in the EU need to designate, in writing, a representative in the EU, so it can fall under the jurisdiction of that member state.
Most US-based OES are potentially out of scope, but any EU-based subsidiaries need to comply.
1The Directive does not apply to DSPs considered ‘micro and small enterprises’ (organizations employing fewer than 50 people whose annual turnover and/or balance sheet total does not exceed €10 million).
What is a DSP?
The NIS Directive lists the following categories of DSP:
Cloud computing services
Organizations that provide “a digital service that enables access to a scalable and elastic pool of shareable computing resources” (Recital 19)
Organizations that provide “a digital service that allows consumers and/or traders [...] to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace” (Recital 17)
Online search engines
Organizations that provide “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found” (Recital 18)
What is an OES?
The NIS Directive outlines the following sectors as OES:
- Drinking water supply and distribution
- Financial market infrastructures
- Digital infrastructure
However, note that the exact sectors can differ per member state. For instance, banking and financial market infrastructures are exempt in the UK.
Consequences for non-compliance with the NIS Directive
The Directive was due to be transposed into member states’ national laws by May 9, 2018 and enforced from May 10, 2018. Not every member state has (fully) implemented the Directive. Even so, DSPs must comply. As mentioned, because of their digital nature, their services will be used across borders and throughout the EU. As such, complaints could be launched to the supervisory authority in those member states, which may take action against the non-compliant organization.
Such action could include handing out fines. The Directive says that these must be “effective, proportionate and dissuasive”, but the exact figures vary per member state. As an example, the UK may fine non-compliant organizations up to £17 million (about $22 million).
Assess your compliance gaps with an NIS Directive Gap Analysis >>
The NIS Directive requires DSPs to:
- Identify and put in place technical and organizational security measures that are appropriate to the risk
- Notify the relevant competent authority of any security incident having a “substantial impact” on service continuity “without undue delay”
General compliance guidance for DSPs
An Implementing Regulation, which took effect on May 10, 2018, provides further clarity for DSPs on how they are expected to comply with the NIS Directive. This EU-wide implementing regulation has the same weight as a local law. As such, DSPs need to comply, irrespective of which member state they register with and regardless of the fact that not every member state has enforced the Directive locally yet.
ENISA (European Union Agency for Network and Information Security) has provided “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers,” which describes 27 security objectives.
Get your no-obligation quote for an NIS Directive Gap Analysis now >>
Audits under the NIS Directive
As DSPs typically face a lower level of risk than OES, they also have lighter security requirements. In line with this, they will not be audited on a regular basis, but will be subject to investigations if the competent authority suspects non-compliance – most notably, after an incident.
The lack of immediate supervision could result in DSPs forgetting to keep or even generate evidence that they do comply, stressing the importance of not only achieving and maintaining compliance but also ensuring you can prove it. The lighter requirements do not imply lighter penalties.
Prepare for NIS Directive compliance with a gap analysis >>
How to achieve compliance with the NIS Directive
The best approach to achieving compliance is for DSPs and OES to implement a cyber resilience program that incorporates measures for information security, business continuity, and incident response.
International standards such as ISO 27001 and ISO 22301 serve as ideal frameworks for achieving NIS Directive compliance. In fact, Article 19 encourages using internationally accepted standards and specifications.
The implementation of business continuity management, penetration testing, and cyber incident response management can help organizations achieve a heightened level of cyber resilience and help facilitate compliance with the NIS Directive.
How IT Governance can help you achieve NIS Directive compliance
- We deliver the entire suite of consultancy, training, and tools needed for NIS Directive compliance
- Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS Directive compliance and manage the project from start to finish
- As part of our work with organizations in all industries, we have managed hundreds of projects around the world
- We are independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives
- We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy
- We deliver practical advice and work according to your budget and organizational needs. No company or project is ever too big or small
- We offer clear and transparent pricing
Speak to an NIS Directive expert
Please contact our NIS Directive team for advice and guidance on our products and services.