As GDPR gained all the coverage, “EU Network and Information Security Directive”, which is a new implemented Directive, almost go unnoticed.
The NIS Directive – what should we expect
Nevertheless, a few recent cyber-attacks on critical infrastructure, this directive is much required in the cybersecurity landscape. Who can forget the WannaCry strike, that crippled the NHS in early 2017 and hit a number of other targets in various countries around the world?
The EU realised the importance of different networks and information systems and what role they play in our daily life. Therefore, they need to be protected against any cyber-threats.
This is where the NIS Directive becomes effective. Its purpose is to achieve a high common level of security of the EU network and information security directive within the UK. Therefore, this directive brings new measures implemented by all Member States starting with May 10th this year.
5 new elements:
- The obligation for the Member States to adopt a national strategy for cyber-security
- A Cooperation group between the Member States
- A CSIRT’s network (computer security incident response teams network) has the purpose of swift and effective operational cooperation.
- The creation of security and notification requirements for operators of essential services and for digital service providers
- The obligation for the Member States to designate national competent authorities, single points of contact and CSIRTs
In the UK, the NCSC will take formal roles of CSIRT and Single Point of Contact under the national framework.
Who does it apply to?
Two very different types of entities:
- Digital Service Providers (DSP) like online marketplaces, search engines, and cloud services;
- Operators of Essential Services (OES): energy, transport, banking, financial, health, drinking water supply and digital infrastructure; by 9 November 2018, Member States shall identify the OESs with an establishment on their territory;
Utilities in need of increased security
The UK’s Minister for Digital and the Creative Industries, Margot James said: “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services.” To change behaviours when it comes to cyber-attacks on utilities is the critical feature of NIS directive.
According to a report by EY, a very worrisome majority of utilities surveyed had very little cyber threat assessment measures in place. Given this statistic and the fact that a new cyber-attack may be just around the corner, the NIS Directive obligations, although costly, can only be seen as positive in the current climate.
Among other obligations, the NIS Directive imposes specific incident warnings and reporting obligations by OESs. However, they cannot enjoy the privilege of reporting, as they had earlier. And, every single detail of security breach along with any other incidents ought to be shared with the competent National Authority under strict conditions.
What about costs?
Overall, actors affected by the provisions of the NIS Directive, from governments, DSPs and OESs should expect increased investment costs due to the implementation of the respective measures.
Factually, non-compliant companies should stay ready for penalties imposed by National Competent Authorities. However, the enforcement of fines depends on the Member States. But, we can expect that the numbers involved are comparable with those imposed by the GDPR. For example, according to publicly available information, in the UK organizations risk fines of up to £17m.
Regardless of the expected financial impact of the NIS Directive, there is still some positivity and hopefulness surrounding it. Hence, the stakeholders are now recognising the importance of the NIS Directive in a more digitised world.