Understanding the NIS Directive and what it means for your business.
With all the furore surrounding the introduction of GDPR earlier this year, another EU edict has comparatively flown under the radar. Nonetheless, the NIS Directive was apparently discussed in the European Parliament on far more occasions than the new data protection act (77 mentions compared to GDPR’s 13) in 2016 and 2017, signalling the importance placed on the subject by Europe’s elite politicians and lawmakers.
Why all the fuss? Well, the NIS Directive is the first piece of bloc-wide legislation on cyber security that the EU has introduced and is aimed at enhancing the defences surrounding some of our most essential national and international commodities, utilities and services. However, given that this is a directive rather than a regulation, it simply directs member states to create their own legislation, rather than regulating directly from Brussels.
While this does facilitate flexibility in individual member states, whose existing infrastructure, capabilities and requirements may differ considerably, it also creates room for confusion, ambiguity and grey areas in between the black and white of a rulebook. As a result, there is still a good deal of uncertainty surrounding the NIS Directive, despite it coming into effect almost six months ago. If you’re still in doubt about what the NIS is, who it applies to and what compliance entails, this handy guide should provide a few pointers.
What, when and who
According to the European Parliament, the NIS Directive has been created to “provide legal measures to boost the overall level of cybersecurity in the EU”. These measures take the form of setting up a Computer Security Incident Response Team (CSIRT) in each member state, as well as increasing collaboration between nations and enhancing security protocols overall. Each national government is responsible for identifying those companies to which the directive will apply, as well as the exact form it will take.
It was adopted on the 6th July 2016, came into force in August of that year and had to be transposed into the individual laws of each member state by 9th May this year. Governments have a further six months (taking them up to 9th November) to identify those businesses required to comply with the legislation. These businesses fall into two categories: Operators of Essential Services (OESs) and Digital Service Providers (DSPs).
The former are comprised of companies which supply and support critical infrastructure and utilities, such as water companies, energy providers and network operators, air, rail and road transportation businesses, banks, telecommunications companies and food producers and distributors. The latter designation applies to those companies which provide digital and online services and platforms, such as cloud computing capabilities, search engines and online marketplaces.
How to comply
Given the loose language used in the definition of the NIS Directive, it has been left up to individual governments to more clearly delineate how the aforementioned organisations can go about fulfilling their requirements. In the UK, the National Cyber Security Centre (NCSC) has opted for a principles-based approach rather than a prescriptive, rule-driven one.
What this basically means is that the NCSC has supplied a list of good practice principles which businesses must interpret and apply to their own unique situation. Rather than aiming for a one-size-fits all checklist, which would arguably be impossible to achieve in any case, the government has come up with 14 tenets, grouped into four key objectives, which businesses must abide by if they are to achieve compliance with the Directive. These are comprised of:
Managing the security risk
Governance. Implementing policies and principles which govern a company’s cyber security network.
Risk assessment. Identifying, understanding and quantifying risks to your systems and online databases, and establishing of a robust protocol for dealing with them.
Asset management. Identifying and understanding all facets of your business which are crucial to the upkeep and continued provision of essential public services.
Supply chain. Understanding and minimising security risks to all other entities with which your business comes into contact throughout the supply chain.
Protecting against cyber attacks
Service protection policies and processes. Defining specific policies and processes geared towards safeguarding the data and systems essential to public services, and communicating those to all involved parties throughout the company.
Identity and access control. Establishing protocols to limit, document and understand who can access your company’s databases and systems and from where.
Data security. Safeguarding all electronic data held by your company that is vital to delivering essential public services.
System security. Safeguarding all of the systems used by your company that are vital to delivering essential public services.
Resilient networks and systems. Continually improving your company’s online defences to achieve resilient resistance to cyber-attacks.
Staff awareness and training. Giving staff the appropriate training, information and tools to allow them to deliver essential services safely and securely.
Detecting cyber security events
Security monitoring. Assessing the existing cyber infrastructure to identify weak points, track effectiveness of defences and detect potential threats.
Proactive security event discovery. Detecting suspicious activity in the relevant databases and networks before it becomes a threat.
Minimising the impact of cyber security incidents
Response and recovery planning. Implementing appropriate incident management, mitigation and response programmes in the event of an attack.
Lessons learned. Using the information learned from previous attempts to breach security to better prepare online defences in the future.
Compliance with the directive is enforced by one or more national competent authorities (CAs), as appointed by the NCSC. For OESs, compliance is verified through an auditing process conducted by the relevant CA. While DSPs are not subject to the same audits, they must still comply and will be penalised by the CA if non-compliance is discovered, either after a cyber-attack has taken place or as a result of the DSP being reported to the CA by a third party.
Penalties for non-compliance are in keeping with those associated with the GDPR regulation. In the UK, a company that has been found to have fallen short of meeting its NIS Directive obligations can be fined up to a maximum of £17 million.
Covering all bases
While the penalties for non-compliance are enough to bankrupt most SMEs in the UK, the NCSC has indicated that those maximum penalties will only be reserved as a last resort for repeat offenders and that the fines will “not apply to operators which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.”[FC1]
As such, any enterprise which satisfies all of the 14 principles outlined above should ensure they do not fall afoul of the NIS Directive and avoid hefty penalties. Of course, the language that is used even in these supposedly specific examples can be ambiguous and that, coupled with an absence of tangible guidelines on how exactly to go about reinforcing cyber security in practical terms, can make it difficult to know exactly how much security is enough.
That’s why when it comes to handling NIS Directive (and GDPR) compliance, it makes sense to leave it up to the professionals. This is especially true for SMEs and smaller outfits which don’t have the resources, staff or financial backing to spend vast amounts of time and money on meeting their cyber security obligations. At Quorum Cyber, we have developed a range of packages designed to help you minimise the risk of a threat actor gaining access to your company’s database and networks, thus fulfilling your legal commitments and safeguarding your assets in one fell swoop.
Our Big Red Button services are specifically geared towards helping businesses of all sizes quickly, easily and efficiently tighten up their online defences at an affordable price. This not only frees up inhouse staff for other tasks, but also ensures your company is compliant with the latest legislation and meet Cyber Essentials guidelines, which is key for any outfit looking to handle government contracts. Indeed, we’re one of the only companies in Scotland qualified to do so.
For more information on how we can help your business meet its EU obligations and stamp out cyber-crime, get in touch with us today.
[FC1]Keep in mind that most SMEs won’t be in-scope as this applies to companies providing critical infrastructure services