Overshadowed by other regulations, the NIS Directive will come into effect tomorrow, 10th May, to ensure that information systems used by operators of essential services and relevant digital service providers are secured against cyber-attacks. The relevant sectors include energy (electricity, oil and gas), transport (air, rail, water and road), healthcare and digital infrastructure. IT security experts commented below.
Charlie Wedin, Cyber Security Expert at Osborne Clarke:
“The NIS Directive will be critical to ensure essential services in the UK remain ‘on’ during even the most extreme cyber-attacks. In recent years, the number of cyber-attacks against national infrastructure has risen dramatically, and this demonstrates just how attractive these systems have become to malicious actors looking to target any vulnerable points in the system. The consequences on society can be significant – preventing access to power, transport and emergency services. Recognising the importance of digital services in today’s society, the Directive also applies to online marketplaces, search engines and cloud storage.
“So, while the NIS Directive has been somewhat overshadowed by the General Data Protection Regulation (GDPR), operators of essential services must ensure they are prepared to deal with both regulations. With a risk of “double jeopardy” under GDPR and NIS – in the event that a business suffers a cyber incident which impactspersonal data and essential services – businesses need to carry out a holistic evaluation of their technical and organisational measures to ensure the security of their networks and information. They should also test their security measures with realistic “war game” simulations to proactively identify and rectify potential weaknesses.”
Greg Day, VP & CSO EMEA at Palo Alto Networks:
- How will this affect organisations in the UK?
“As you know, on 20 April DCMS laid the UK legislation implementing the EU’s NIS Directive in Parliament. This legislation will came into effect today The NISDirective applies to certain organisations that that fall into two buckets: those called Operators of Essential Services — companies in energy, healthcare, transportation, drinking water, some financial services, and digital infrastructure- such as IXPs, and Digital Service Providers – companies that provide online search, online marketplaces, or cloud computing services.”
- What actions will they have to take in future?
“Organizations falling under NIS must do two main things:
“First, secure their networks and systems: They should take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems which they use in their operations. These measures must have regard to the state of the art, and ensure a level of security appropriate to the risk posed. The NIS Directive also includes specific language focusing on the requirement to prevent incidents, the aim being to ensure resilience of these services.
“Second, notify incidents of certain magnitudes to competent authorities or CERTs/CSIRTs.”
- What policies and procedures will have to be put in place?
“DCMS and NCSC have detailed information on their websites about how they plan to implement NIS in the UK- what organizations practically need to do. The NCSC is taking a risk-based/ outcome-based approach to implementing NIS, describing mandatory security outcomes to be achieved. Organisations in the various sectors will work directly in most cases with their current regulatory authority, which will in turn get guidance from NCSC. The UK Government wants to encourage a collaborative and proactive approach between organisations and their competent authority.
“It is important to note that the UK law will allow for fines of up to £17 million. This maximum will cover all contraventions, such as failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority, failure to implement appropriate and proportionate security measures. But the UK Government has stated fines would be a last resort- they will not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.”
- How does this relate to GDPR?
“The NIS Directive is not related to the GDPR. They are separate pieces of EU legislation that happened to be finalized at approximately the same time, and both are live starting May 2018.
“The NIS Directive is a cybersecurity law that each EU nation must themselves apply, full stop. It is focused on ensuring those services with a technology dependency (which today means most services), and which are key to the functioning of society, remain resilient to cyberattack. GDPR is focused on the protection of personal data of people in the EU.
“The laws also have differing coverage. The NIS Directive applies to Operators of Essential Services and Digital Service Providers providing these services in the EU. The GDPR applies to any company, located anywhere in the world, that processes the personal data of or markets to people in the EU.
“While the laws are not related, I think NIS has been very overshadowed by GDPR, and many UK companies are still waking up to the fact they must comply with NIS. GDPR has and is getting lots of attention, yet awareness of NIS seems to be comparatively low. The NIS Directive should be seen as a positive opportunity to drive change.”