While the General Data Protection Regulation (GDPR) received widespread attention, the ‘EU Network and Information Security Directive (NIS Directive),’ a newly enacted directive, went relatively unnoticed.
Nevertheless, with a few recent cyber-attacks on critical infrastructure, this directive is much required in the cybersecurity landscape. Who can forget WannaCry, which crippled the NHS in early 2017 and attacked other targets worldwide?
The EU has come to appreciate the significance of interconnected networks and information systems. As a result, they require security against cyberattacks. This blog will outshine the NIS directive importance, who uses it and how it manages the costs.
What is the NIS Directive?
The Network and Information Systems Directive, also known simply as the NIS Directive, is a piece of law enacted by the European Union with the intention of bolstering the levels of cybersecurity and resiliency of vital infrastructure and services throughout all member states of the EU.
Its purpose is to achieve a high common level of security of the EU network and information security directive within the UK. Therefore, this directive brings new measures implemented by all Member States starting with May 10th this year.
Five elements of NIS Directive
1. Operations of Essential Services (OES):
It calls out industries like energy, transportation, and healthcare as examples of those providing “essential services” that must meet certain cybersecurity standards. The obligation for the Member States to adopt a national strategy for cyber-security is necessary.
2. Digital Service Providers (DSPs):
It classifies certain online services, including as search engines, cloud computing services, and online platforms, as examples of digital service providers and imposes cybersecurity requirements onto them.
3. Relating Incidents:
It makes it mandatory for OES and DSPs to disclose important cybersecurity incidents to the appropriate authorities, improving transparency and enhancing the speed with which they can respond.
4. Safety Precautions:
To ensure the safety of their networks and information systems, organisations are required under the regulation to put in place suitable precautions for network and information system security and risk management procedures.
5. Collaboration and the exchange of knowledge:
It promotes collaboration and the sharing of information among the member states of the EU, creating a collaborative approach in dealing with cybersecurity incidents and threats.
Who does the NIS Directive apply to?
The EU NIS Directive primarily relates to two types of entities, which are as follows:
- Operators of Essential Services (OES): This category covers firms that operate in complex industries such as energy, fleet, healthcare, and finance in order to supply services that are essential for the functioning of society. OES are important to comply with a variety of cybersecurity standards.
- Digital Service Providers (DSPs): Online platforms, search engines, and cloud computing services are all examples of digital service providers, or DSPs. They are also subject to the NIS Directive and must fulfil their commitments regarding cybersecurity.
The precise application of the directive may differ significantly throughout the member states of the EU, however these are the primary groups that are the focus of the regulation.
How NIS Directive Improves UK Critical Infrastructure Cybersecurity?
The UK’s Minister for Digital and the Creative Industries, Margot James said: “We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services.” To change behaviours when it comes to cyber-attacks on utilities is the critical feature of the NIS compliance.
According to a report by EY, a very worrisome majority of utilities surveyed had very little cyber threat assessment measures in place. Given this statistic and the fact that a new cyber-attack may be just around the corner, the NIS Directive obligations, although costly, can only be seen as positive in the current climate.
Among other obligations, the NIS Directive imposes specific incident warnings and reporting obligations by OESs. However, they cannot enjoy the privilege of reporting, as they had earlier. And, every single detail of a security breach along with any other incidents ought to be shared with the competent National Authority under strict conditions.
Financial Implications of the NIS Directive
Overall, actors affected by the provisions of the NIS Directive, from governments, DSPs and OESs should expect increased investment costs due to the implementation of the respective measures. Factually, non-compliant companies should stay ready for penalties imposed by National Competent Authorities.
However, the enforcement of fines depends on the Member States. But, we can expect that the numbers involved are comparable with those imposed by the GDPR. For example, according to publicly available information, in the UK organisations risk fines of up to £17m.
Regardless of the expected financial impact of the NIS Directive, there is still some positivity and hopefulness surrounding it. Hence, the stakeholders are now recognising the importance of the NIS Directive in a more digitised world.
Conclusion
While GDPR overshadowed the EU Network and Information Security Directive (NIS Directive), its relevance cannot be emphasised. Recent cyberattacks on key infrastructure highlight the need for strong cybersecurity.
The NIS Directive emphasises cybersecurity standards and reporting for OES and DSPs. The UK recognises the need for cyber-resilient vital infrastructure. The NIS Directive promotes proactive cybersecurity to address utilities’ worrying lack of cyber threat assessment.
The directive improves digital security but comes with fees and penalties. As the digital world evolves, stakeholders are realising the NIS Directive’s importance in protecting critical infrastructure and improving cybersecurity.
