Nevertheless, taking into account some very recent cyber-attacks on critical infrastructure, this directive has been long needed in the cyber security landscape. Who can forget the WannaCry strike, that crippled the NHS in early 2017 and hit some other targets in various countries around the world?
The EU recognised that network and information systems are an essential part of living in today’s society and, therefore, they need to be safeguarded against any threats against them. This is where the NIS Directive comes to play. Its purpose is to achieve a high standard level of security of network and information systems within the EU. To this end, this directive brings a heap of new measures implemented by all Member States starting with May 10th this year.
Five new elements:
- The obligation for the Member States to adopt a national strategy for cyber security; The obligation for the Member States to adopt a national strategy for cyber security;
- A Cooperation group between the Member States;
- A CSIRT’s network (“computer security incident response teams network”) for swift and effective operational cooperation;
- The creation of security and notification requirements for operators of essential services and digital service providers;
- The obligation for the Member States to designate competent national authorities, single points of contact and CSIRTs;
In the UK, the NCSC will be taking on the formal roles of CSIRT and Single Point of Contact within the national framework.
Who does it Apply to?
Two very different types of entities:
- Digital Service Providers (DSP) like online marketplaces, search engines and cloud services;
- Operators of Essential Services (OES): energy, transport, banking, financial, health, drinking water supply and digital infrastructure; by 9 November 2018, Member States shall identify the OESs with an establishment on their territory;