The NIS Directive – What is it & What does it mean?
What is it?
The Network and Information Security directive or NIS for short is a measure being brought forward by the European Union to safeguard against attacks targeting critical infrastructure in essential services. The NIS came into effect on the 6th July 2016 and the deadline for complete implementation is on the 9th of May.
What needs to be done?
At a national level, the directive requires the establishment of a cyber-security strategy and the establishment of a Computer Security Incident Response Team (CSIRT) along with an authority figure to oversee these matters. Failure to comply with the directive will result in major consequences as member states set their own financial penalties for services in violation.
Why is it required?
Cyber Security for Critical Assets is paramount for essential services that rely heavily on information and communication technology. The NIS Directive focuses on the Operators of Essential Services (OES) and Digital Service Providers (DSP) to safeguard sensitive assets and infrastructure from ransomware attacks like the WannaCry attacks the NHS endured in 2016. With countries becoming more and more dependent on digital and information systems it has become a global necessity to secure the infrastructure from attack.
How are other countries transitioning?
Many of the leading European countries have set plans in motion for implementation, though the NIS is a directive not a regulation, each member state has to transpose the directives provisos into its own national legislative framework. Various companies have got the ball rolling: The United Kingdom has confirmed that it will be issuing penalties in the region of £17 million or 4% of global turnover to services that don’t comply with the NIS.
Poland has announced the opening of a new national centre dedicated to cybersecurity (NC Cyber) Belgium has set out six flagship measures to enhance cybersecurity. The Czech Republic has altered its cybersecurity laws to take account of more critical sectors and comply with the directive requirements. Croatia has set up a working group to determine how the directive will be transposed. Sweden has specified the level of penalties and the bodies responsible for implementation Italy has revised its National Plan for Cyber Protection and Digital Security to align with the provisions of the directive. The plan is very “non-directive” it sets out objectives but not specifying how they are to be achieved. Each country must work out its own interpretation and create a complete plan that will meet the directive.
How can you learn more?
Given the timescale implementation should be nearly complete across Europe but this is only the first step, the real challenge is maintaining a strict level of security across sectors. Cybersecurity events are the best way to learn more about key issues relating to the NIS directive and other important issues, time is of the essence and learning what the higher level executives are doing and understanding their methods are key to successful long-term maintenance. The first cybersecurity event after the implementation is ItaliaSec which is based in Rome and starts one week after the deadline on May 15 -16th. The opening panel of the summit is packed with major players in the OES sector and they will be discussing the NIS directive in great detail. You can learn more about that event here:
Overall the NIS Directive aims to increase standardization of IS security levels across the whole of Europe a process that will be one to watch. Whether you’re an OES, DSP or just a member of the general public the NIS Directive affects everyone across Europe, as cyber security is an ever-evolving problem that requires our full attention.