In the digital age, businesses need network and information systems for storing important data, streamlining communication, and providing essential services. Since most of this information is highly sensitive, there should be adequate cyber-security measures put in place. A single data breach could cost organizations millions while affecting the company’s legal liability and reputation.
This is where the EU NIS Directive comes in.
What is NIS Regulation?
Adopted in July 2016, the NIS Directive aims to create a standard system of security when it comes to network and information systems across the European Union. The making of this directive required mutual collaboration and effective operational cooperation from each member state. It was to be transposed to member states by May 9, 2018.
NIS regulation is part of the EU’s critical infrastructure regarding network and information systems within the Union’s organizations.
NIS regulations not only cover cybersecurity incidents; they involve physical and environmental aspects that affect these information systems. For instance, power blackouts and flooding may physically affect network and information systems processes.
The purpose of having NIS regulations and directives is to minimize the impact of cyber security incidents on organizations. The tripartite role of the NIS can therefore be summarized as:
- Provide security incident reporting thresholds and procedures
- Risk management
- Improve the resilience of critical networks’ infrastructure
What is Covered by the NIS Regulations?
The NIS directive covers top-level domain name registration services and requires domain name registries to take adequate risk management measures. The Cooperation Group, a European Union agency comprising selected representatives from NIS member states, has created a technical guideline detailing security measures for such entities providing domain names and details.
Generally, the NIS regulations cover two main groups:
- Operators of Essential Services (OES)
- Relevant Digital Service Providers (RDSPs)
1. Operators of Essential Services (OES)
Cybersecurity attacks may not appear serious or intense unless they affect essential services, such as water, healthcare, and energy. These are services we need daily, and if they are negatively impacted they could lead to a ripple effect on all supporting services. When the delivery of these services relies on network and information systems, the organization falls under OES.
The NIS directive is very strict when it comes to OES. Member states should ensure that the designated OES effectively manages any risks posed to the security of the financial market infrastructures within these systems.
2. Relevant Digital Service Providers (RDSPs)
In the United Kingdom, RDSPs are under the Information Commissioner’s Office (ICO) when it comes to regulation. Therefore, RDSPs must register with the ICO, which is their supervisory authority. They are required to report any security incidents if they (will) have a substantial effect on the provision of services to the ICO.
Disclaimer: The ICO regulates RSDPs and not OES.
Digital Service Providers (DSPs) provide the following services:
- Cloud computing services
- Online search engines
- Online marketplaces and banking platforms
Further, to know if you are a Relevant Digital Service Provider in the UK, you should attain the following criteria:
- Have 50 or more staff, and a turnover (or balance sheet total) of over €10m per year
- Your main establishment is in the UK, or you have a nominated representative in the UK or EU
- Offers services in the European Union. Here, your business should generally use a language and currency used in one or more EU member states and mention customers in the EU.
Who is Exempt From NIS Regulations?
Among others, digital service providers who do not meet the above requirements, so that they have fewer than 50 staff, and have a turnover (or balance sheet total) of less than €10 million annually, are exempt.
However, if your company is a digital service provider that is not an RDSP, yet you belong to a larger organization that is an RSDP, you are within the NIS scope. Nonetheless, your organization is still under the UK GDPR regardless of its size, as long as it provides digital services.
How to Achieve Compliance With the NIS Regulations
The compliance journey as detailed by the NIS Directive is pretty straightforward. Organizations need to meet the following requirements in order to comply with the NIS regulations:
- Risk management
- Incident reporting
- Cooperation and information sharing about cyber attacks
- Audits conducted regularly
- Employee training on cybersecurity awareness, technical expertise, and reporting incidents efficiently
The NIS requires that organizations (and their employees) are able to detect and identify a threat, understand the incident reporting requirements, and respond to such threats. Therefore, an effective cyber assessment framework can be surmised as a simple acronym: DRR (Detect, Report, Respond). By doing so, your organization will have attained NIS directive compliance.
Moreover, NIS regulations compliance can be effectively measured using international management system standards, such as ISO 27001 and ISO 27035. The NIS Directive stipulates that any measures that providers of digital services should take into consideration these international standards.
Incident Reporting Measures Under the NIS Regulations
Now that you know that digital service providers have reporting obligations to the NIS, it is prudent to know the specific measures that have been put in place to ensure this is possible.
First, organizations must report incidents within 72 hours of becoming aware of the incident. If the cyber incident has a significant effect on the processes and delivery of services within the organization, reporting must be done immediately. Incidents can be identified using various strategies, such as Security Information and Event Management (SIEM) systems and automated monitoring tools.
Next, proper reporting channels should be used at all times. All member states have designated competent authorities that ensure incident reports are received and effectively handled. Having a centralized reporting agency also helps when sharing information within member states, which in turn develops a suitable risk mitigation strategy and upscaling compliance implementation projects.
When reporting a cyber security incident, the content needs to be detailed and relevant. It should clearly outline what the cyber incident is, the specific date and time, which systems and services have been affected, how many users have been adversely affected, and the particular data that’s been compromised. The incident’s severity needs to meet the NIS reporting threshold. Anything short of this will not be accepted by the NIS.
After this, appropriate follow-up will be made. This will require further cooperation with relevant authorities to ascertain any information required in the investigation. Also, sufficient measures should be taken to ensure that the cyber attack or infringement of the network’s security is wholly mitigated and future attacks are preempted and prevented.
Tip: To further streamline this process, organizations are encouraged to build robust incident reporting measures and procedures. These measures should be 360 degrees and cover everyone from customers, suppliers, and stakeholders to relevant authorities.
In the case of cross-border incidents, such as online marketplaces that offer cross-border services, organizations need to notify relevant authorities both in their home member state and in the member state(s) where the incident happened.
Consequences of Non-Compliance With the NIS Directive
In the UK, for instance, the ICO can take several measures to ensure compliance. They may send enforcement notices, powers of inspection, and even financial penalties of up to €17 million (for the most severe cases).
The degree and amount of the fine depend on the competent authority designated for each member state.
Benefits of the NIS Directive
Organizations that meet NIS compliance requirements enjoy the following advantages:
- Better cybersecurity
- More confidence from customers
- Less legal liability
- Competitive advantage over non-NIS compliant organizations
- The NIS helps deliver practical advice to digital infrastructure sectors, such as cloud computing service providers and data centre service providers.
Brexit and the NIS Regulations
Since the NIS Directive is an EU-wide legislation on cybersecurity measures, and the UK is no longer part of the EU, a potent issue arises: Does the NIS Directive apply to the UK?
Remember that the NIS was transposed to become EU member states’ national law in 2018. It was enacted as UK law as the NIS Regulations 2018 on May 2018. Brexit happened on February 1, 2020, so the UK was already part of the NIS regulation. However, after Brexit, the NIS Directive was tailored to fit a UK-only application.
Therefore if you are a non-UK organization offering services in the UK, you must:
- Appoint a UK representative
- Make a written confirmation of the above using the ICO registration process
- Comply with the NIS regulations in the UK, along with other compliances with your home member state’s regulations
The National Cyber Security Centre (NCSC) is the UK’s cybersecurity organization. It is based in London and started operations in October 2016. Its role is to monitor incidents, detect early warning signs, create a cyber assessment framework, and implement national cybersecurity strategies for all managed service providers.
Conclusion on the NIS Regulations
Ultimately, the role of the NIS regulations is to facilitate strategic cooperation to ensure greater cyber resilience. It should facilitate compliance within OES and DSPs within member states. Each organization should undertake rigorous penetration testing of its systems to come up with proportionate security measures.
The NIS directive is an information security directive that is tasked with maintaining compliance within DNS service providers to build a robust information system security framework.
Featured Image Source: pexels.com
