Next we need to look at the expectations and implications of the Directive on the operators of and service providers to essential services.
What are the expectations of the cyber security policies and procedures employed by OESs and DSPs?
The NIS Directive outlines a number of expected methodologies, behaviours and actions for both OESs and DSPs in terms of the way they approach security and risk and as a consequence of any breach.
Article 44 of the Directive states:
That OES and DSP adopt a culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks faced. So that they do not face a disproportionate financial and administrative burden.
which is further clarified in the Directive:
Risk Management measures include measures to identify any risks of incidents, to prevent, detect and handle incidents and to mitigate their impact. The security of network and information systems comprises the security of stored, transmitted and processed data.
The NIS Directive sets out security requirements and incident notification rules for OESs that are different from those that apply to DSPs.
Article 14 of the Directive states that an OES must:
Take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Those measures should ensure a level of security of network and information systems appropriate to the risk posed.
Take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services.
Inform, without undue delay, the competent authority or the Computer Security Incident Response Team (CSIRT) of incidents having a significant impact on the continuity of the essential services they provide.
Article 16 of the Directive states that a DSP must:
Take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the network and the information systems which they use in the context of offering services. These security measures should ensure a level of security of network and information systems appropriate to the risk posed. They must also take account of:
– The security of systems and facilities
– Incident handling
– Business continuity management
– Monitoring, auditing and testing
– Compliance with international standards
Take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems in the services they offer, with a view to ensuring the continuity of those services.
Notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of a service that they offer. In order to determine whether the impact of an incident is substantial, digital service providers should, where possible, take account of:
– The number of users affected by the incident, in particular users relying on the service for the provision of their own services.
– The duration of the incident.
– The geographical spread with regard to the area affected by the incident.
– The extent of the disruption of the functioning of the service.
– The extent of the impact of economic and societal activities.
The NIS Directive does not specify a timeframe for the reporting of incidents, only stating that operators need to notify about an incident “without undue delay”. Member states may adopt their own reporting requirements.
Remember, it’s not only cyber security risks that are covered
The NIS incident reporting requirements are not limited to “cybersecurity” incidents: any incident affecting the security of the network and information systems used for provision of the essential services may be reportable. These include power failures, environmental hazards, hardware failures, cyber attacks, malware, intrusions and viruses.
What are the implications for non-compliance with the NIS Directive?
Member States are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented. The UK Government has proposed a two tiered approach, similar to the GDPR penalty regime, as follows:
Band one: Set at a maximum of EUR 10 million or 2% of global turnover for lesser offences, such as failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority.
Band two: Set at a maximum of EUR 20 million or 4% of global turnover (whichever is greater), for failure to implement appropriate and proportionate security measures.
What about Brexit?
This one is very clear. The NIS Directive will come into effect before the UK leaves the EU, and the UK government has already confirmed that the Directive will apply irrespective of Brexit.
So what do you do next?
Based on the experiences of GDPR clearly the EU and UK authorities are putting heightened levels of awareness, control and legislation around the cyber security of the systems and support surrounding the “essential services” for the UK and EU member nations. The potential fines alone should be a wake-up call to individuals in every affected organisation – from board-level to users – on the critical need to ensure the deployment of rigorous cyber security and risk management programs.
But how does the Directive and industry define these “appropriate and proportional measures”? What does NIS compliant “best practice” look like?
Talk to DVV Solutions
We can help find the most effective way to achieve optimal security and NIS compliance throughout your data supply chain.
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our online contact form