Europe’s directive on security of network and information systems (NIS) officially comes into force today.
All organisations classified by the NIS as competent authorities to be “operators of essential services” will be affected by new laws.
This includes companies in energy, healthcare, some financial services, and digital infrastructure – such as IXPs, and Digital Service Providers
Failure to comply may result in hefty fines for cyber security failings.
Greg Day, VP & CSO EMEA at network security specialists Palo Alto answers some questions about the legislation and its impact.
How will this affect organisations in the UK?
As you know, on 20 April DCMS laid the UK legislation implementing the EU’s NIS Directive in Parliament. This legislation will came into effect today. The NIS Directive applies to certain organisations that that fall into two buckets: those called Operators of Essential Services – companies in energy, healthcare, transportation, drinking water, some financial services, and digital infrastructure- such as IXPs, and Digital Service Providers – companies that provide online search, online marketplaces, or cloud computing services.
What actions will they have to take in future?
Organizations falling under NIS must do two main things: First, secure their networks and systems. They should take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems which they use in their operations. These measures must have regard to the state of the art, and ensure a level of security appropriate to the risk posed. The NIS Directive also includes specific language focusing on the requirement to prevent incidents, the aim being to ensure resilience of these services. Second, notify incidents of certain magnitudes to competent authorities or CERTs/CSIRTs.
What policies and procedures will have to be put in place?
DCMS and NCSC have detailed information on their websites about how they plan to implement NIS in the UK – what organizations practically need to do. The NCSC is taking a risk-based/ outcome-based approach to implementing NIS, describing mandatory security outcomes to be achieved. Organisations in the various sectors will work directly in most cases with their current regulatory authority, which will in turn get guidance from NCSC. The UK Government wants to encourage a collaborative and proactive approach between organisations and their competent authority.
It is important to note that the UK law will allow for fines of up to £17 million. This maximum will cover all contraventions, such as failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority, failure to implement appropriate and proportionate security measures. But the UK Government has stated fines would be a last resort- they will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.
Does this Connect to GDPR At All?
No. They are separate pieces of EU legislation that happened to be finalized at approximately the same time, and both are live starting May 2018.
The NIS Directive applies to Operators of Essential Services and Digital Service Providers providing these services in the EU. The GDPR applies to any company, located anywhere in the world, that processes the personal data of or markets to people in the EU. While the laws are not related, I think NIS has been very overshadowed by GDPR, and many UK companies are still waking up to the fact they must comply with NIS. GDPR has and is getting lots of attention, yet awareness of NIS seems to be comparatively low. The NIS Directive should be seen as a positive opportunity to drive change.