Cyber Security and the NIS Directive

NIS Directive (EU 2016/1148)

Nowadays, cyber-attacks are on the rise! Targeted attacks on organisations have grown from an average of 350,000 cyber incidents in 2017 to 4000 cyberattacks per day during the COVID-19 pandemic in 2020.

✓ Digital security infrastructure

Today’s digital security infrastructure can prevent 87% of the attacks. But, even with that level of security, organisations are looking at anywhere in the range of 2 to 3 breaches per month. What if essential services like banking or telecom services are breached or manipulated by these attacks? It can turn the life of citizens upside down and even topple a country’s economy.

✓ GDPR privacy protection

General Data Protection Regulation (GDPR) is a powerful privacy protection measure that will be affecting the way organisations deal with the data of EU residents. But, there is another set of regulations that some organisations must follow in addition to those laid down by the GDPR. This regulation is called the Network, and Information Systems (NIS) Directive and it deals with the issue of cybersecurity concerning the critical national infrastructure. So, what exactly is the NIS Directive, and what are its implications?

Need for the NIS Directive

The cybersecurity breaches survey 2017 showed that for the 74% of the surveyed businesses, cyber essential is an essential requirement for senior management. However, the survey came out with a startling finding that despite the evident significance attached by businesses to cybersecurity, all the UK businesses (covered by the survey) faced cybersecurity risks. More needs to be done in this regard and organisations should at least conduct a cyber secure audit to identify their key risks and recommendations to address these risks.

✓ Cybersecurity, not a concern just for large organisations

Unlike popular perception, cybersecurity is not a concern for only large enterprises, but also small and medium-sized businesses (SMEs). The latter are at a higher risk since they neither have the funds nor the expertise. They incur significant costs on account of these breaches, and the customer data is also compromised. SMEs can greatly benefit from the innovative and competitively priced compliance solutions covering consent management, assessments & certifications, policies & documentation and privacy experts offered by Seers.

✓ More people

With more and more people going online, with businesses storing consumer and corporate data on the cloud, and with the emergence of technologies like 5G that can facilitate faster data connectivity, it is only natural for lawmakers to pay greater attention to the concerns of rising cyber threats. The NIS Directive was under discussion since 2013 and finally came into effect in 2018.

What is the NIS Directive?

The objective of the NIS Directive is to improve the security of the digital infrastructure – including both information systems and networks – across the entire EU. The law governs the cybersecurity standards followed by the providers of essential services in the EU and providers of digital services to the EU residents.

Implementation of the NIS Directive

Before implementing the NIS Directive, cybersecurity concerns were tackled on a national level by the EU. However, the EU countries already have many connected digital networks. The gaps, in terms of legislation, created a multitude of complexities and made it difficult to target the cybercriminals.

The NIS Directive bridges these gaps definitively. It also creates a much safer online environment for the dispensing of essential services, which are critical for the smooth functioning of the information security infrastructure of a nation and the structures supporting these.

NIS Directive requirements

NIS Directive demands that the EU member states put in place a fully equipped national framework to counter the attacks related to cybersecurity. The framework broadly has three components:

  • Better national cybersecurity capability

It needs EU member states to have a national cybersecurity framework in place. This will allow nations to not only effectively follow the Directive, but also be prepared for the inevitable cybersecurity incidents. The NIS Directive requires nations to develop a Computer Security Incident Response Team (CSIRT) and NIS Competent Authority (CA) to control and make sure that these goals are met.

  • Cooperation across the EU

The member states should cooperate with each other for a seamless exchange of technology and information to improve security against cyber attacks. A single point of contact needs to be created across the member states to facilitate cooperation. This role can be served by the NCA. The directive demands member states to be a part of the CSIRT Network to ensure strategic collaborations.

  • Notification & security

Member states need to identify and classify sectors vital to the economy and heavily dependent on information systems as ‘Operators of Essential Services’ (OES). Then, these OES must take the necessary steps to manage their cybersecurity risks and inform the relevant national authority in the case of an attack. A key to implement on the NIS Directive is Industry participation.

Who comes under the NIS Directive?

Organisations that come under the jurisdiction of the NIS Directive have two categories: Operator of Essential Services (OESs) and Digital Service Providers (DSPs).

✓ An operator of essential services (OES)

If an organisation is part of an industry that provides essential services such as aviation, rail, road, energy & power, banking, and others, and relies on an information network to deliver these services, then it comes under the purview of NIS. It can be either a public or a private organisation.

✓ Digital service providers

Organisations providing digital services to the citizens also come under NIS. These include online marketplaces, online search engines and cloud computing services.

✓ Entities falling outside NIS Directive

Entities falling outside the purview of the NIS Directive are allowed to send ‘voluntary notifications’ to the relevant authority. To report cyberattacks that potentially have a significant impact on their operations.

Cyber security

What is the difference between the NIS Directive and the GDPR?

Generally, the basic difference between the NIS Directive and the General Data Protection Regulation (GDPR) is that the former is a directive and the latter is a regulation. However, the NIS Directive consists of a set of instructions to the member states for the implementation of their state laws. It is up to the individual state governments to interpret and implement the objectives laid down by the NIS Directive.

On the contrary, the General Data Protection Regulation (GDPR) is a law that member states must follow. It will not vary from one EU member state to another. An excellent example of this is the size of fines and sanctions under each of these. Whilst GDPR has clearly defined the number of fines to be levied on the organisations that infringe the law, there is no such clarity in the case of the NIS Directive. The responsibility lies with the individual state governments to determine the fines.

Also, whilst the GDPR applies to all the organisations dealing with the personal data of EU residents within the EU and abroad, the NIS Directive only deals with a specific set of organisations operating inside the EU.

With GDPR and the NIS Directive enacted one after the other, organisations understandably have a lot on their plate. Although, GDPR has captured the bulk of the attention of the corporate world. But, the NIS Directive is going to have an equally profound effect on how businesses operate and shape the cybersecurity landscape for the future.