The NIS Directive is an EU-wide cyber security directive designed specifically to enhance the resilience of network and information systems. It requires member states to ensure that providers of critical infrastructure and services have appropriate security measures in place to manage cyber risk and maintain continuity. Member states are also required to designate one or more NIS competent authorities (CAs) to help oversee implementation of the Directive.
In the UK, the CAs responsible for enforcing the NIS Regulations include the Secretaries of State for Energy, Transport, Health and the Environment, and various devolved authorities such as the Department of Finance for Northern Ireland and the Welsh and Scottish Ministers.
EU Directive 2016/1148, the Directive on the Security of Networks and Information Systems (the NIS Directive or Cyber Security Directive), came into force in July 2016 and was transposed into UK law as The Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018.
With an increasing number of cyber threats targeting critical infrastructure, the importance of protecting operators of essential services, such as transportation, health, water and energy, has never been greater.
The NIS Directive is designed to improve security and resilience across the European Union by ensuring that operators of essential services and digital services providers have the necessary controls in place to minimise security risk.
The UK NIS Regulations apply to:
Article 14 of the NIS Directive outlines fourteen key principles, split across four top-level objectives. In the UK, the National Cyber Security Centre has released a cyber assessment framework (CAF) to help organisations comply with these principles under the NIS Regulations.
Ensuring that appropriate policies and procedures are in place to understand, assess and systematically manage risks to the networks and information systems that support essential services. Included within NISD Objective A:
– A.1 – Governance
– A.2 – Risk management
– A.3 – Asset management
– A.4 – Supply chain
Implementing proportionate security measures to protect essential services and systems from cyber-attack. Included within NIS Directive Objective B:
– B.1 – Service protection policies and processes
– B.2 – Identity and access control
– B.3 – Data security
– B.4 – System security
– B.5 – Resilient network and systems
– B.6 – Staff awareness and training
Ensuring the ability to minimize the impact of security incidents on essential services. Included within NIS Directive Objective D:
– D.1 – Response and recovery planning
– D.2 – Lessons learned/improvements
Adherence to each NIS principle is judged on how well a total of 39 outcomes are met. Each outcome is assessed based upon Indicators of Good Practice (IGPs).
OESs will be regularly audited by their relevant competent authority to ensure they are fully compliant with the NIS Regulations, or at the very least, working towards compliance. RDSPs are not audited, but they are subject to investigation following any incident that could indicate non-compliance.
In the UK, non-compliant organisations may be fined up to £17 million. The largest fines will be imposed where an incident results in an immediate threat to life or significant adverse impact on the UK economy.
If an OES or RDSP also falls foul of the GDPR and/or DPA 2018, the organisation could be liable to receive separate sanctions. While the UK government has stated that OESs and DSPs should not be tried for the same offence twice, there may be reason for them to be penalised under different regimes if there are multiple, distinct instances of wrongdoing.
As an award-winning provider of managed security and assessment services, Redscan can help your organisation achieve NIS compliance. Our services enable you to:
The NIS Directive – EU Directive 2016/1148 – is the Directive on the Security of Networks and Information Systems. This is a piece of EU-wide legislation designed to enhance the general level of cyber security in place across the European Union’s critical infrastructure. Alongside cyber security measures, the NIS Directive also covers physical and environmental factors. In the UK, the Directive was transposed into domestic law as the NIS Regulations.
There are four key NIS Directive objectives; managing security risk, protecting against cyber-attack, detecting cyber events, and minimising the impact of cyber incidents. Under these objectives sit fourteen NIS Directive subcategories, called principles.
The NIS Directive and Regulations apply to two main groups of organisations – Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP). OESs are organisations that provide an essential service to society that could be disrupted by a cyber incident, including energy, transport, water and healthcare. RDSPs are digital service providers over a certain size that provide online marketplace, search engine and cloud computing services.
Competent Authorities (CA) are the bodies appointed by member states to oversee the implementation of the NIS Directive. In the UK, the CAs responsible for enforcing the NIS Regulations are split by industry. These include the Secretaries of State for Energy, Transport, Health and the Environment, and various devolved authorities such as the Department of Finance for Northern Ireland and the Welsh and Scottish Ministers.
Organisations that fall foul of the NIS Directive in the UK could be fined up to a maximum of £17 million. The largest fines are reserved for incidents that result in an immediate threat to life or significant adverse impact on the UK economy.
The main security requirement of NIS is to “identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems”. The measures in question should be appropriate to the overall risk posed, covering incident handling, business continuity management, monitoring, auditing and testing, as well as compliance with international standards.
The Cyber Assessment Framework, or CAF, is a set of guidance released by the UK’s National Cyber Security Centre (NCSC) to help OESs and RDSPs meet the requirements of the NIS Directive and NIS Regulations. Guidance includes a detailed description of each requirement, alongside suggested measures for organisations to take to achieve compliance.
Under the NIS Regulations, essential services in the UK include organisations that depend on network and information systems to provide services that are relied upon by society and could have significant detrimental impacts if they were interrupted. This includes organisations in the energy (oil, gas, electricity), transportation (aviation, rail, shipping, cargo), water and healthcare sectors.
An NIS security audit is the process where Operators of Essential Services (OES) are assessed by their designated CA to ensure they are compliant with the NIS Directive, or are at least putting measures in place to work towards it. Relevant Digital Service Providers (RDSPs) will not be audited but may be investigated if an cyber incident occurs that could indicate non-compliance.
We are trusted by global cyber insurers to conduct thousands of breach investigations
every year. Our experts can help you contain, recover and mitigate future attacks.
Copyright © 2023 By Incluzion Business Solutions. All rights reserved.
