Just when the excitement over GDPR has finally begun to settle down, there is another European information security mandate that everyone needs to be aware of. The EU-approved Network and Information System (NIS) Directive is now enforceable in many EU member countries. Nobody likes hearing about yet another regulatory requirement, but cybersecurity is critical and undergoing fast changes. Regulation, best practices and technology need to keep pace – if done correctly the benefits are well worth the effort.
What is the NIS Directive?
The NIS Directive on security of network and information systems (NIS Directive) is the first piece of cybersecurity legislation passed by the European Union (EU).
The Directive was adopted on July 6, 2016 and its aim is to achieve a high common standard of network and information security across all EU Member States – meaning that the NIS Directive will also apply to U.S. companies and other multinationals doing business in the EU.
U.S. e-commerce and cloud computing companies will fall under the jurisdiction of the NIS Directive, and of course, subsidiaries of U.S. infrastructure companies will also be affected and subject to its sanctions and fines.
What this all means is that companies covered by the NIS Directive should focus their data security programs on protecting complete IT systems. That means analyzing cyber threat patterns using techniques such as machine learning to detect and determine whether an attack is intended to or is in fact disrupting operations.
What are the Implications of the NIS Directive?
The NIS Directive adopts a multi-layered approach by placing obligations on all stakeholders across the industry in member states, authorities and companies themselves.
- Establish a national NIS strategy and regulatory measures to achieve network security.
- Establish a competent authority to monitor the application of NIS Directive in their territory and across member states.
- The competent authorities in each member state are to be given authority to investigate cases of non-compliance of Financial Services organizations with the NIS Directive. Financial Services organizations may undergo security audits
- The European Commission and National Crime Agencies (NCAs) to cooperate and coordinate against risks and incidents affecting network and information systems.
- Security obligations impose a minimum level of security for digital technologies, networks and services.
- Reporting obligations make it compulsory to report significant cyber incidents to national regulators.
Which Industry Groups Does it Affect?
The NIS Directive is meant to ensure the continuity of essential services, utilities, and digital services that society depends on. That means energy enterprises that provide people with electricity and gas will be affected, as well as organizations that handle transportation and water services. Banking institutions, companies that handle financial infrastructure, and healthcare groups are also covered by the Directive. And since many services rely on online connections, organizations that manage digital infrastructure (IxP and DNS service providers, for example) are also under this Directive, along with digital service providers like cloud services and search engines.
Four Immediate Steps to NIS Compliance
- Contact NCAs:
Organizations within the scope of the NIS directive should contact their Member State’s National Competent Authorities (NCA) to find out, in the event of a security incident, which authority you are required to notify. Make sure you understand which regulatory body has the authority to sanction your organization in the event of non-compliance.
Liaise with CSIRTs: Organizations should contact Computer Security Incident Response Teams (CSIRTs) to obtain information about current security threats and get further clarity on cybersecurity issues. In order to ensure cooperation between relevant authorities is well established, there are some basic requirements for designated CSIRTs.
This includes monitoring incidents at a national level, providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents, responding to incidents, providing dynamic risk and incident analysis and situational awareness, and, lastly, participating in the CSIRT network. This last point is vital, as participation in the CSIRT network, both online and in physical meetings, is essential to building trust between group members.
- Implement Technical and Organizational Security Measures: The NIS Directive requires organizations to implement a range of security measures in areas like system security, incident management, testing, and compliance with international standards (NIST Cybersecurity Framework for Critical Infrastructure, IEC 62443, NERC, etc.). While the Directive is short on specifics, organizations should follow all industry cybersecurity best practices and look to meet other compliance regulations such as the GDPR, many of which have overlapping requirements. Organizations should also conduct risk assessments regularly and implement measures to mitigate identified risks.
- Implement Effective Security Incident Response Process: Incident reporting is a key part of the Directive. You should hone your own incident reporting process including things like number of users affected, duration of incident, geography, economic impact, and service disruption. Upon discovery of an incident, notification should be made to the NCA or CSIRT “without delay.”
Why the US Should Initiate Similar Regulation
Nobody likes hearing about yet another regulation, but U.S. companies forced to implement information security changes to get compliant with the EU’S NIS Directive may find it to be a blessing in disguise. Lessons learned from NIS Directive compliance should put them in a better position to deal with cyberattacks wherever they occur – and that is everybody’s goal, regardless of regulatory bodies and their jurisdictions.