It stands a good chance that you’ve heard about the GDPR. You probably even have a pretty good understanding of what it entails by now. The Network and Information Systems (NIS) Directive, on the other hand, is probably more of a mystery, but depending on your business, could be just as important. Whilst the GDPR focuses on protecting data, the NIS Directive aims to protect services. The recent WannaCry attack that hit the NHS further highlighted the necessity for more secure infrastructure. The NIS Directive aims to achieve this – here’s what you need to know.
What’s the history of the NIS Directive?
The NIS Directive was adopted by the European Parliament on 6th July 2016. EU member states, including the UK, now have until 9th May 2018 to translate the Directive into domestic legislation. The legal measures provided by the Directive exist to boost the overall level of network and information system security in the EU. They include:
- A national framework to support and promote the security of network and information systems
- The set-up of a Cooperation Group so member states can share information, strategy, and risks
- Ensuring a framework is implemented across all vital sectors, including energy, transport, water, healthcare and digital infrastructure. Businesses in these sectors will be identified as ‘operators of essential services’, and will have to follow a number of guidelines.
How do I know if I’m an ‘operator of an essential service’?
According to the Directive, an ‘operator of an essential service’ meets the following criteria:
- Provides a service which is essential for the maintenance of critical societal and/or economic activities;
- The provision of that service depends on network and information systems;
- An incident affecting those systems would have significant disruptive effects on the provision of that service.
The UK Government will be identifying these operators, using the following criteria:
- Sector – the broad part of the UK’s economy;
- Subsector – specific elements within an individual sector;
- Essential service – the specific type of service;
- Identification thresholds – criteria to identify essential operators (for example through size or the impact of events we are seeking to prevent).
What do I have to do if I’m an ‘operator of an essential service’?
The UK Government are currently running a public consultation to gather feedback on how exactly the new framework should look. Whatever legislation is put in place, it’s clear that it will be down to the operator to prove that they have the relevant measures in place in order to adhere to the set framework. Organisations will need to evidence they are compliant, and can do so in a number of ways.
- Review what you’re already doing – the best place to start is to conduct a review of what you already have in place. What does your current security framework look like and how can it be improved?
- Get Cyber Essentials or Cyber Essentials Plus accredited – this Government certification not only helps protect your organisation against common cyber threats, but also demonstrates you take the matter seriously.
- Get ISO 27001 accredited – this standard demonstrates a company is adhering to best practices when it comes to their information security management system. It’s a must-have if you’re operating an essential service.
- Incident response – companies will need to demonstrate a clear incident response programme that will comply with the timeframe set for reporting breaches to the ICO.
- Put a protective monitoring system in place – The NIS directive also mandates protective monitoring, as an extension of the old mandated GPG13 approach. Having this in place will ensure your organisation is always on top of potential threats, spotting them and responding to them before they cause any damage.
If you need more help and advice on how you can prepare for the NIS Directive, get in touch with a member of the Falanx Cyber Defence team to discover the right solution for your business.