The Department for Digital, Culture, Media and Sport (DCMS) launched a public consultation on the new EU NIS Directive in August 2017 with UK Government legislation to support it required to be in place by 9th May 2018.
While we await the results of this consultation it is important to ensure your organisation is aware of the outline requirements, obligations and implications of the NIS Directive.
We’ve put together this quick series of blogs to offer some insight into the headline issues you may need to address.
What is the NIS Directive?
The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) is the first piece of EU-wide legislation on cybersecurity. Through regulation and legal measures, its purpose is to achieve a high and standard level of security for network and information systems across the EU in sectors that rely heavily on information and communications technology (ICT).
Ransomware attacks like WannaCry illustrate only too well the adverse effects that can result from a security breach. The NIS Directive will help make sure UK operators in essential services are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards. It aims to achieve this in three ways: –
- Improving cyber security capabilities at a national level.
- Increasing cooperation on cyber security among EU member states.
- Introducing security measures and incident reporting obligations for “Operators of Essential Services” in critical national infrastructure (CNI) and “Digital Service Providers”.
To whom does the NIS Directive apply?
The NIS Directive applies to organisations that are established in the EU or that offer services to persons within the EU, defined as follows:
Operators of Essential Services (OES), are public or private entities that meet the criteria:
– Provide a service which is essential for the maintenance of critical societal and/or economic activities;
– The provision of that service depends on network and information systems; and
– An incident affecting those systems would have significant disruptive effects on the provision of that service.
The Directive deems the following sectors as “essential”:
Energy (Electricity, Oil and Gas)
Transport (Air, rail, water and road)
Banking (Credit institutions)
Financial market infrastructures (Trading venues and central counterparties)
Health (Healthcare providers)
Water (Drinking water suppliers and distributors)
Digital infrastructure (Domain name services (DNS) service providers, Internet exchange points (IXP) operators and Top level domain (TLD) name registries)
Digital Service Providers (DSP), are any legal person that provides a digital service, including:
Search engines – a digital service that allows users to perform searches of all websites or websites in a particular language)
Online market places – a platform that acts as an intermediary between buyers and sellers, facilitating the sale of goods and services)
Cloud computing services – any company that offers:
– Infrastructure as a Service (IaaS)
– Platform as a Service (PaaS)
– Business to Business Software as a Service (SaaS)
Who is not subject to NIS Directive?
The Directive acknowledges that some EU regulatory regimes in certain industry sectors already deal with information and network security issues. The Directive says: “certain sectors of the economy are already regulated or may in the future be regulated by sector-specific Union legal acts”. In such circumstances the NIS Directive will not apply, whether or not the organisation would otherwise meet the criteria to be considered an OES or DSP. Only regulatory regimes which provide equivalent protection to that set out in the NIS Directive will qualify as a ‘sector-specific Union legal act’ that could apply instead of the provisions laid out in the NIS Directive.
Ultimately, each EU country will draw a list of all the companies within each sector that fall subject to the new rules or devise “objective quantifiable criteria (e.g. output of the operator or number of users) which would allow to determine which entities are subject to NIS obligations and which are not”, according to the Directive.
Also, the Directive does not apply to hardware and software developers or DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
So what’s the impact going to be?
Despite these exclusions, it is quite clear that a large number of organisations will be included in any legislation and regulation emanating from the introduction of the NIS Directive. The security of systems, data and services provided within these industries is clearly going to come under greater scrutiny.
But how? And what is going to be expected of the security controls and measures OESs and DSPs employ through their data supply chains?
Talk to DVV Solutions
We’ll can help find the most effective way to achieve optimal security and NIS compliance throughout your data supply chain.
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our online contact form