NIS Directive (EU 2016/1148)
Cyber attacks are on the rise! Targeted attacks on organisations have grown from an average of 107 in 2017 to a projected 232 in 2018.
✓ Digital Security Infrastructure
Today’s digital security infrastructure can prevent 87% of the attacks. But, even with that level of security, organisations are looking at anywhere in the range of 2 to 3 breaches per month. What if essential services like banking or telecom services are breached or manipulated by these attacks? It can turn the life of citizens upside down and even topple a country’s economy.
✓ GDPR Privacy Protection
General Data Protection Regulation (GDPR) is a powerful privacy protection measure that will be affecting the way organisations deal with the data of EU residents. But, there is another set of regulations that some organisations must follow in addition to those laid down by GDPR. This regulation called the Network, and Information Systems (NIS) Directive deals with the issue of cybersecurity concerning the critical national infrastructure. So, what exactly is the NIS Directive, and what are its implications?
Need for NIS
The Cyber Security Breaches Survey 2017 showed that 74% of the surveyed businesses. Cyber essential is a top-notch priority for senior management and 31% of them. However, the survey came out with a startling finding that despite the evident significance attached by the businesses to cybersecurity, all the UK businesses (covered by the survey) faced cyber Security risks. More needs to be done.
✓ Cyber Security, not a Concern
Unlike popular perception, Cyber Security is not a concern for only large enterprises, but also small and medium-sized businesses. The latter are at a higher risk since they neither have the funds nor the expertise. They incur significant costs on account of these breaches, and the customer data is also compromised.
✓ More People
With more and more people going online, with businesses storing consumer and corporate data on the cloud, and with the emergence of technologies like 5G that can facilitate faster data connectivity, it is only natural for lawmakers to pay greater attention to the concerns of rising cyber threats. NIS Directive was under discussion since 2013 and finally came into effect in 2018.
What is NIS?
The NIS Directive objective is to improve the security of the digital infrastructure – including both information systems and networks – across the entire EU. The law governs the cybersecurity standards followed by the providers of essential services in the EU and providers of digital services to the EU residents.
Implementation NIS Directive
Before implementing the NIS Directive, the concerns of cybersecurity EU were tackled on a national level. However, the EU countries already have many connected digital networks. The gaps, in terms of legislation, created a multitude of complexities and made it difficult to nab the cybercriminals.
NIS Directive Bridges
The NIS Directive bridges these gaps definitively. It will also create a much safer online environment for the dispensing of essential services, which are critical for the smooth functioning of the nations and the structures supporting them.
NIS Directive requires
NIS Directive demands the EU member states to put a fully equipped national framework to counter the attacks related to cybersecurity. The framework broadly has three components:
- Better National Cyber Security Capability
It needs EU member states to have a national cybersecurity framework in place. This will allow nations to not only effectively follow the Directive, but also be prepared for the inevitable cyber security incidents. The NIS Directive requires nations to develop a Computer Security Incident Response Team (CSIRT) and NIS Competent Authority (CA) to control and make sure that these goals are met.
- Cooperation Across the EU
The member states should cooperate with each other for a seamless exchange of technology and information to improve security against cyber attacks. A single point of contact needs to be created across the member states to effectuate cooperation. This role can be served by the NCA. The directive demands member states to be a part of the CSIRT Network to ensure strategic collaborations.
- Notification & Security
Member states need to identify and classify sectors vital to the economy and heavily dependent on information systems as ‘Operators of Essential Services’. Then, these OES must take the necessary steps to manage their cybersecurity risks and inform the relevant national authority in the case of an attack. A key to implement on the NIS Directive is Industry participation.
✓ Who Comes Under NIS?
Organisations come under the jurisdiction of the NIS Directive have two categories – Operator of Essential Services (OESs) and Digital Service Providers (DSPs).
✓ An operator of Essential Services
If an organisation is a part of an industry that provides essential services, such as aviation, rail, road, energy and power, banking, and others, and relies on an information network to deliver these services, then it comes under the purview of NIS. It can be either a public or a private organisation.
✓ Digital Service Providers
Organisations providing digital service to the citizens also come under NIS. These include online marketplaces, online search engines, and cloud computing services.
✓ Entities Falling Outside
Entities falling outside the purview of NIS are allowed to send ‘voluntary notifications’ to the relevant authority. To report cyber attacks that potentially have a significant impact on their operations.
What is the Difference Between NIS and GDPR?
The most basic difference between NIS and GDPR is that while NIS is a directive, GDPR is a regulation. NIS, a set of instructions to the member states for the implementation of their state laws. It is up to the individual state governments to interpret and attain the objectives laid down by the NIS.
✓ GDPR is a Law
On the contrary, GDPR is a law that member states must follow. It will not vary from one to another EU member state. An excellent example of this is the size of fines and sanctions under them. While GDPR has defined the number of fines to be levied on the organisations that infringe the law, there is no such clarity in the case of NIS. The responsibility lies with the individual state governments to determine the fines.
✓ GDPR Applies
Also, while GDPR applies to all the organisations dealing with the personal data of EU residents within the EU and abroad, NIS only deals with a specific set of organisations operating inside the EU.
✓ GDPR & NIS Enacted
With GDPR and NIS enacted one after the other, organisations understandably have a lot on their plate. Although GDPR has captured the bulk of the attention of the corporate world, NIS is going to have an equally profound effect on how businesses operate and shape the cybersecurity landscape for the future.