The NIS Directive seeks to achieve a high common level of security of network and information systems throughout the EU by taking a three pronged approach:
– increased EU co-operation
– improved cyber security capabilities at a national level;
– risk management and reporting obligations for qualifying organisations
Scope
The NIS is applicable to organizations operating in critical systems, sometimes referred to as CNI (Critical National Infrastructure). This includes energy, transport, banking, financial market infrastructures, health, water, and digital infrastructure.
Security and incident notification obligations are set out in the NIS Directive for two categories of organisations: (i) operators of essential services (OESs); and (ii) digital service providers (DSPs).
The directive itself (Located here http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN)
The directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States had 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.
Operators of Essential Services
These operators of essential services (OESs) are to be identified by government by November 2018,
This is designed minimise the threat and the impact of potential incidents ensuring continuity of services. These OES’s are distributed across several sectors to include: transport, banking, financial market infrastructures, the health sector, drinking water supply and distribution, and digital infrastructures.
Digital Service Providers
Funnily enough the onus is on DSP’s to identify whether they qualify as a Digital Service Provider.
DPSs can be categorised as the following organisations:
Search engines.
Cloud computing services.
Online marketplaces.
The Directive states that DSPs “remain free to take technical and organisational measures they consider appropriate and proportionate to manage the risks”, as long as the measures provide an “appropriate level of security” and factor in the NIS Directive’s requirements.
DSPs are required to ensure a level of security appropriate to the risk.
Areas to be considered include
The security of systems and facilities
Incident handling
Business continuity management
Monitoring, auditing and testing
Compliance with international standards
Compliance
The best approach to achieve compliance is for DSPs and OESs to implement a cyber resilience program which incorporates the following:
- Liaise with NCA’s (National Competent Authority)
- Implement strong cyber security defenses.
- Adequate cyber risk preventative measures.
- Implement an effective incident response processes
Appointment of a NCA (National Competent Authority)
The directive requires each member state to designate one or more NCAs (National Competent Authority) who will monitor the application of the NIS at a national level.
Multiple NCA’s can be created, in this case each NCA would be assigned one or more sectors to achieve a clear jurisdiction.
Each member state will also need to nominate a SPoE (Single Point of Contact) that will liaise with other member states and CSIRTs on behalf of all NCAs.
CSIRTS (Computer Security Incident Response Teams)
Computer Security Incident Response Teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incidents.
What is a Directive?
A directive and not a regulation. Unlike a regulation, which is absorbed into member state law in its original form, a directive is an instruction to member state governments to implement their own laws in alignment with the directive.
Links of interest
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=EN
https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive