The NIS Directive targets organisations that provide Critical National Infrastructure. That means utilities like water, transport, telecommunications and digital services, and healthcare.
There’s been a lot written, said and done recently about General Data Protection Regulation (GDPR), and all the noise is at least partly justified. It affects the majority of businesses and organisations, there’s a hard deadline for compliance, and the potential penalties for getting it wrong are really rather spectacular.
However, there is another Directive making its way into law in the UK shortly that businesses also need to be aware of. Whilst the scale of organisations impacted by this is much smaller than that of those processing our personal data, by definition these providers of critical services are equally as important to each and every one of us.
The NIS Directive - Security of Network and Information Systems
The NIS Directive targets organisations that provide Critical National Infrastructure. That means utilities like water, transport, telecommunications and digital services, and healthcare. And as with GDPR, this Directive includes the prospect of serious penalties for organisations in breach.
In May 2018, the UK and other EU nations will adopt the EU Network and Information Services Directive (NIS) for infrastructure providers to defend against and report attacks. The UK Government has confirmed that exit from the EU will not affect this legislation and regulatory regime.
The good news is that, in pretty much every case, the Directive simply promotes best practice, and should be treated as an opportunity to review measures already in place, and, if need be, update, extend and fill in any potential gaps.
The NIS Cyber Assessment Framework Agreement will be released in April, but the high level principles have already been published. The principles set out what the Government is looking for from suppliers, from governance and supply chain and pro-active security monitoring, through to maintaining an incident response regime and separate reporting procedures of breaches and incidents. It can be used as a checklist to ensure your organisation is on the right track, for example:
To meet the Security Monitoring and Proactive Security Event Discovery requirements of the Directive, you will need to look for the following services (either in-house or out-sourced):
- Intelligence-led and threat-focused detection and response
- Proactive threat hunting for insider and external threats
- Industry-leading detection analytics
- Accuracy and speed of response through machine accelerated human decisions
- Complete infrastructure coverage from endpoint to cloud
- Access to the latest technology techniques and processes with specialist support, and all delivered from a dedicated Security Operations Centre staffed around the clock.
The requirement for Response and Recovery Planning should fit into your organisation’s existing plans and best practice. If and when a successful cyber attack hits your network and business processes, you will need an effective cyber incident response team to help you meet the requirements for Response and Recovery Planning.
Supply Chain Assurance
The new legislation requires you to understand and manage security risks within your supply chain that may harm the essential services you provide. It’s vital to identify your critical suppliers, conduct a proportionate level of assessment, and manage activities in a manner that focuses on outcomes.
If looking through the NIS Directive gives you the impression that you’re looking at a common sense checklist for businesses that both deliver vital services to the country and make attractive cyber targets, you’re not alone. Some obligations may seem onerous at first glance, but they also build the foundation for a resilient organisation. Even if your business doesn’t provide a vital national service, it’s worth spending a little time looking through the principles.
See how we can help mobilise your NIS security programme to get your organisation in the best possible position for compliance with the Security of Network and Information Systems (NIS) Directive: