We live in a world which now places great reliance on network and information systems in every area of the economy. There is little argument against the fact that cyber-attacks can have major societal and economic impacts; but despite this there is often a lack of investment in cyber security across areas of our national infrastructure. Often, businesses cannot accurately calculate the costs of incidents or the benefits of good cyber security and the protection of their digital systems. And in some cases, even the wider societal impacts of a breach are not considered in local corporate risk assessments to the level required to make cyber security a priority.
The EU Directive on Networks and Information Systems (aka the NIS Directive) has been created to address the wider impacts of local cyber events. This directive is a European-wide attempt to require businesses that provide essential services (or form a major part of the digital economy) to implement better cyber security measures; protecting not just themselves, but also the wider services they support. Alongside other tools such as the personal data focused General Data Protection Regulation (GDPR), it sets a new higher standard for the security and resilience of services on which the much of the European economy is built.
The UK Government has confirmed that the provisions of the NIS directive will still apply after Brexit.
So who does it apply to?
Each member state is required to publish a list of operators of essential services (OES) and digital service providers (DSPs) for which the directive applies to by 9 November, 2018. Essential services therefore covered by the directive will include areas such as energy, transport, banking and health, but also crucial areas of digital infrastructure such as domain registries. It will also apply to online marketplaces and search engines as these are considered public services on which people place great reliance.
The directive specifically excludes communications service providers, who are covered by other European regulation. There is also clear clarification that intermediary services, such as comparison services or services such as applications stores are not intended to be covered by the regulation. Additionally, the directive explicitly removes micro and small businesses from its scope.
What does it require?
The directive's principles are grouped into four areas for organisations to consider: managing security risk, protecting against cyber-attack, detecting cyber security events, and minimising the impact of cyber security incidents.
- Managing security risk: The NIS places considerable focus on risk-based governance; if applicable, your organisation will need to demonstrate its ability to identify, assess, and systematically address risks to the systems that support your critical services. This will include both your organisation and elements of your supply chain deemed essential to the provisioning of these critical services.
- Protecting against cyber attack: This area contains the protective principles which address the risks you have identified (an organisation's traditional security measures will be contained in this but will be better justified through mappings back to your risk management). The security investment you have today is included in this area, but should be clearly limited to risk.
- Detecting cyber security events: This area requires that an organisation be able to effectively monitor critical services and any services that support them such that security incidents are noticed in a timely manner.
- Minimising the impact of cyber security incidents: Recognising that incidents will occur, the NIS requires the ability to respond to incidents in a timely and effective manner. This should minimise any negative effects to critical services and restoring those services to an operational state.
These security measures relate well to multiple other cyber security frameworks; and organisations in scope may find that between NIST and other cyber security initiatives, much of their ongoing work to develop cyber security will map well to the new NIS cyber security control areas.
What do we need to do first?
If you are identified as an OES or DSP, you will be required to have a cyber security capability in place to continuously assess risks and improve security measures as your risk landscape changes. You will also need to have the processes and capabilities in place to respond effectively to incidents, both in managing service impacts and notifying the relevant authorities.
As an organisation, you should be asking yourself the following questions:
- Do we track the latest cyber security threats and identify potential risks to our systems?
- Do we implement appropriate technical and business measures to secure our network and systems against our threats and risks?
- Are we implementing and testing the appropriate incident management practices to minimise incidents and their impacts, and to ensure we meet our service level agreements?
- Could we identify a security incident as it occurs and notify the relevant authority with undue delay?
If the answer is no or you’re not sure, you very likely have some significant work to do to meet the NIS directive requirements.
The NIS directive expects an organisation to develop a rigorous security management function which will allow it to have confidence that their security measures and practices address their risks and are aligned to the needs of their customers. Meeting this requirement will be a significant journey for some organisations and one which should be approached with care, but upon completion businesses meeting the requirements of the NIS directive will find their security posture greatly improved.