The NIS Directive – what should we expect
Nevertheless, taking into account some very recent cyber-attacks on critical infrastructure, this directive has been long needed in the cyber security landscape. Who can forget the WannaCry strike, that crippled the NHS in early 2017 and hit some other targets in various countries around the world?
The EU recognized that network and information systems are an essential part of living in today’s society and, therefore, they need to be safeguarded against any threats against them. This is where the NIS Directive comes to play. Its purpose is to achieve a high common level of security of network and information systems within the EU. To this end, this directive brings a heap of new measures implemented by all Member States starting with May 10th this year.
Five new elements:
- The obligation for the Member States to adopt a national strategy for cyber security; The obligation for the Member States to adopt a national strategy for cyber security;
- A Cooperation group between the Member States;
- A CSIRT’s network (“computer security incident response teams network”) for swift and effective operational cooperation;
- The creation of security and notification requirements for operators of essential services and digital service providers;
- The obligation for the Member States to designate competent national authorities, single points of contact and CSIRTs;
In the UK, the NCSC will be taking on the formal roles of CSIRT and Single Point of Contact within the national framework.
Who does it Apply to?
Two very different types of entities:
- Digital Service Providers (DSP) like online marketplaces, search engines and cloud services;
- Operators of Essential Services (OES): energy, transport, banking, financial, health, drinking water supply and digital infrastructure; by 9 November 2018, Member States shall identify the OESs with an establishment on their territory;
Utilities in need of increased security
In the UK, Margot James, Minister for Digital and the Creative Industries, said: “We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services.” One of the key elements of the NIS Directive is to change behaviours when it comes to cyber-attacks on utilities. According to a report by EY, a very worrisome majority of utilities surveyed had very little cyber threat assessment measures in place. Given this statistic and the fact that a new cyber-attack may be just around the corner, the NIS Directive obligations, although costly, can only be seen as positive in the current climate.
Among other obligations, the NIS Directive imposes specific incident warnings and reporting obligations by OESs. They will no longer have the same freedom of reporting as before. Details of security breaches and other incidents will have to be shared with the competent National Authority under much stricter conditions.
What about costs?
Overall, actors affected by the provisions of the NIS Directive, from governments, DSPs and OESs should expect increased investment costs due to the implementation of the respective measures. Also, non-compliant organizations should also expect fines from the national Competent Authorities. Although penalties have been left at the discretion of Member States, we may expect that the sums involved are comparable with those imposed by the GDPR. For example, according to publicly available information, in the UK organizations risk fines of up to £17m.
Despite the expected financial impact of the NIS Directive, there seems to be a generally positive and hopeful attitude surrounding it, with stakeholders at all levels recognising the necessity and importance of the NIS Directive in a more and more digitised world.
Tags: iso/iec 27001 and 27002, iso/iec 27001 and 27002 it security techniques package, define nis, directive meaning, eu network and information security directive, information technology regulations, iso 27000 vs 27002, ISO 27001, iso 27001 and 27002 pdf, iso 27001 audit wiki, iso 27001 certification cost in bangalore, iso 27001 certification cost in chennai, iso 27001 certification cost in delhi, iso 27001 certification cost in hyderabad, iso 27001 certification cost in india, iso 27001 certification cost in mumbai, iso 27001 certification cost in pune, iso 27001 checklist download, iso 27001 checklist excel, iso 27001 checklist free, iso 27001 checklist pdf, iso 27001 checklist template, iso 27001 checklist uk, iso 27001 controls, iso 27001 controls checklist, iso 27001 controls excel, iso 27001 domain a.9, iso 27001 domain admins, iso 27001 domain areas, iso 27001 domains and controls pdf, iso 27001 password requirements, iso 27001 pdf indonesia, iso 27001 pdf portugues, iso 27001 requirements checklist, iso 27001 requirements for logging and monitoring, iso 27001 requirements list, iso 27001 requirements pdf, iso 27001 version 2013 domains, iso 27001 vs soc 2, iso 27001 wiki, iso 27001 wiki english, iso 27001 wiki fr, iso 27001 wikipedia deutsch, iso 27001 wikipedia español, iso 27001 wikipedia italia, iso 27001/2 wikipedia, iso/iec 27001 domains, national cyber security strategy, national security network, ncsc, ncsc gov uk, ncsc uk, network and information security directive, network information security directive, network information service, network of information, nice security systems, nis directive wiki, nis security, nis uk, nisd, office network security, security legislation, security s, thenis, to nis, what is nis