NIS Directive (EU 2016/1148)
Nowadays, cyber-attacks are on the rise! Targeted attacks on organizations have grown from an average of 350,000 cyber incidents in 2017 to 4000 cyberattacks per day during the COVID-19 pandemic in 2020. The NIS directive is relevant to this discussion.
✓ Digital security infrastructure
Today’s digital security infrastructure can prevent 87% of the attacks. But, even with that level of security, organisations are looking at anywhere in the range of 2 to 3 breaches per month. What if essential services like banking or telecom services are breached or manipulated by these attacks? It can turn the life of citizens upside down and even topple a country’s economy.
✓ GDPR privacy protection
General Data Protection Regulation (GDPR) is a powerful privacy protection measure that will be affecting the way organizations deal with the data of EU residents. But, there is another set of regulations that some organizations must follow in addition to those laid down by the GDPR. This regulation is called the Network, and Information Systems (NIS) Directive and it deals with the issue of cybersecurity concerning the critical national infrastructure. So, what exactly is the NIS Directive, and what are its implications?
Need for the NIS Directive
The cybersecurity breaches survey 2017 showed that for the 74% of the surveyed businesses, cyber essential is an essential requirement for senior management. However, the survey came out with a startling finding that despite the evident significance attached by businesses to cybersecurity, all the UK businesses (covered by the survey) faced cybersecurity risks. More needs to be done in this regard and organisations should at least conduct a cyber secure audit to identify their key risks and recommendations to address these risks.
✓ Cybersecurity, not a concern just for large organisations
Unlike popular perception, cybersecurity is not a concern for only large enterprises, but also small and medium-sized businesses (SMEs). The latter are at a higher risk since they neither have the funds nor the expertise. They incur significant costs on account of these breaches, and the customer data is also compromised. SMEs can greatly benefit from the innovative and competitively priced compliance solutions covering consent management, assessments & certifications, policies & documentation and privacy experts offered by Seers.
✓ More people
With more and more people going online, with businesses storing consumer and corporate data on the cloud, and with the emergence of technologies like 5G that can facilitate faster data connectivity, it is only natural for lawmakers to pay greater attention to the concerns of rising cyber threats. The NIS Directive was under discussion since 2013 and finally came into effect in 2018.
What is the NIS Directive?
The objective of the NIS Directive is to improve the security of the digital infrastructure – including both information systems and networks – across the entire EU. The law governs the cybersecurity standards followed by the providers of essential services in the EU and providers of digital services to the EU residents.
Implementation of the NIS Directive
Before implementing the NIS Directive, cybersecurity concerns were tackled on a national level by the EU. However, the EU countries already have many connected digital networks. The gaps, in terms of legislation, created a multitude of complexities and made it difficult to target the cybercriminals.
The NIS Directive bridges these gaps definitively. It also creates a much safer online environment for the dispensing of essential services, which are critical for the smooth functioning of the information security infrastructure of a nation and the structures supporting these.
NIS Directive requirements
It demands that the EU member states put in place a fully equipped national framework to counter the attacks related to cybersecurity. The framework broadly has three components:
- Better national cybersecurity capability
It needs EU member states to have a national cybersecurity framework in place. As a result, nations will be able to successfully implement the Directive and be ready for any unavoidable cybersecurity incidents. According to the NIS Directive, each country must establish a Computer Security Incident Response Team (CSIRT) and NIS Competent Authority (CA) to oversee and guarantee the achievement of these objectives.
- Cooperation across the EU
The member states should cooperate with each other for a seamless exchange of technology and information to improve security against cyber attacks. The directive demands member states to be a part of the CSIRT Network to ensure strategic collaborations.
- Notification & security
Member states need to identify and classify sectors vital to the economy and heavily dependent on information systems as ‘Operators of Essential Services’ (OES). Then, these OES must take the necessary steps to manage their cybersecurity risks and inform the relevant national authority in the case of an attack. A key to implement on the NIS Directive is Industry participation.
Who comes under the NIS?
Organizations that come under the jurisdiction of the NIS Directive have two categories. Operator of Essential Services (OESs) and Digital Service Providers (DSPs).
✓ An operator of essential services (OES)
If an organization is part of an industry that provides essential services. Such as aviation, rail, road, energy & power, banking, and others. And relies on an information network to deliver these services, then it comes under the purview of NIS. It can be either a public or a private organization.
✓ Digital service providers
Organisations providing digital services to the citizens also come under NIS. These include online marketplaces, online search engines and cloud computing services.
✓ Entities falling outside NIS Directive
Entities falling outside NIS send ‘voluntary notifications’ to the relevant authority. To report cyberattacks that potentially have a significant impact on their operations.
What is the difference between the NIS and the GDPR?
Generally, the basic difference between the NIS Directive and the General Data Protection Regulation (GDPR) is that the former is a directive and the latter is a regulation. However, the NIS Directive consists of a set of instructions for the implementation of their state laws. It is up to the individual state governments to interpret and implement the objectives laid down by the NIS Directive.
On the contrary, the General Data Protection Regulation (GDPR) is a law that member states must follow. It will not vary from one EU member state to another. An excellent example of this is the size of fines and sanctions under each of these. Whilst GDPR has clearly defined the number of fines to be levied on the organizations. There is no such clarity in the case of the NIS Directive. The responsibility lies with the individual state governments to determine the fines.
Also, whilst the GDPR applies to all the organizations dealing with the personal data of EU residents. The NIS Directive only deals with a specific set of organizations operating inside the EU.
With GDPR and the NIS Directive enacted one after the other, organizations understandably have a lot on their plate. Although, GDPR has captured the bulk of the attention of the corporate world. But, NIS is going to have an equally profound effect on how businesses operate. It shapes the cybersecurity landscape for the future.