The Network and Information System Directive (NIS) was approved by the European Union in August 2016 and, after the new legislation was ratified in the Houses of Parliament in April 2018, it became enforceable in the United Kingdom from 10 May this year, with 20 other EU member states working within similar timelines.
In the maelstrom of publicity and information about General Data Protection Regulation (GDPR), another EU-led law that came in to force in the same month, NIS has “slipped under the radar”, according to Jennie Cleal, senior information security consultant at leading data services consultancy Gemserv. So, what exactly is NIS, why has it been crafted, and who is likely to be affected?
Helpfully, the National Cyber Security Centre (NCSC) – the government organisation launched in 2016, and tasked with bolstering the country’s digital defences – issued a welter of instructive documents designed to explain NIS in January.
When The NIS Guidance Collection was published, NCSC chief executive Ciaran Martin said: “Our new guidance will give clear advice on what organisations need to do to implement essential cyber security measures. Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible.”
In short, the NIS Directive aims to ensure UK operators in transport (passenger and freight), water, energy, health and digital services are prepared to deal with the increasing numbers of cyber threats. NIS primarily applies to organisations identified as operators of essential services (OES) and compliance is over seen by the sector regulator and/or responsible government acting as the competent authorities (CAs). The criteria for determining OES and the list of CAs in the UK can be found in the NIS Regulations or you can learn more at the NIS Regulation Breakfast Briefing hosted by Gemserv.
Incidents affecting any of these systems could cause significant damage to the UK’s infrastructure, economy, or result in substantial financial losses
The NIS Guidance Collection states: “Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of energy and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.”
Why is NIS important now? NCSC’s guide to NIS points out: “As we have seen from numerous cyber security incidents these [network and information] systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. Incidents affecting any of these systems could cause significant damage to the UK’s infrastructure, economy, or result in substantial financial losses.
“The magnitude, frequency and impact of network and information system security incidents is increasing. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have.”
It is crucial to point out that NCSC has no regulatory role in NIS; it is, however, the single point of contact for EU partners on NIS and in the UK acts as an advisory body, providing technical support and guidance to other government departments, CAs and OES.
NIS is not prescriptive; rather it takes an outcome-based approach. NCSC has divided the 14 NIS principles into four objectives. These are as follows: A. Managing security risk; B. Defending systems against cyber attack; C. Detecting cyber security events; and D. Minimising the impact of cyber security incidents.
The NIS Directive relates to loss of service rather than loss of data, which falls under the GDPR, though the penalties can be just as damaging. Organisations who fail to implement effective cyber security measures, as outlined by the NIS Directive, they could be fined as much as £17 million plus be caught up in a ‘double jeopardy’ rule, in that if the incident also relates to a breach of personal, then also fined under the GDPR (up to 4 per cent of their global turnover or £20 million, whichever is greater).
We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack
When NIS came in to force, in May, Mr Martin of NCSC said: “These new measures will help to strengthen the security of the UK’s infrastructure. By acting on the NCSC’s expert technical advice and reporting incidents, organisations can protect themselves against those who would do us harm.
“The UK government is committed to making the UK the safest place to live and do business online, but we can’t do this alone. Every citizen, business and organisation must play their part.”
The then-Minister for Digital, Matt Hancock, echoed that sentiment, and added: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilience against other threats such as power failures and environmental hazards.
“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”
Get a step ahead with your compliance by attending the upcoming NIS Regulation Breakfast Briefing