The NIS Directive: who does it apply to and what will it mean?

May 2018 is a big month for cyber security.

Not only will the EU General Data Protection Regulation (GDPR) come into effect but a new UK Data Protection Act will enshrine GDPR’s principles in UK law in the same month. In addition, the EU Network and Information System (NIS) Directive, which aims to increase the security of network and information systems across the EU by encouraging the adoption of International and European standards, will also be implemented into UK law in May 2018. It is of particular importance to organisations which provide essential services, or those which supply those who provide these services.

There is, however, nothing to fear regarding NIS Directive compliance. By adopting ISO27001 International Standard for Information Security best practice and implementing robust Disaster Recovery and Business Continuity Management plans, organisations can ensure compliance will be achieved.

Where GDPR relates to the loss of personal data, the NIS Directive addresses the issue of loss of service by IT networks and information systems. Specifically, it relates to safeguarding essential services and those who fail to implement effective cyber security measures will face fines of up to £17m or 4 per cent of global turnover.

The measures outlined in the NIS Directive are part of the UK Government’s five year £1.9bn National Cyber Security Strategy. They are designed to ensure that the UK’s essential networks and infrastructure are kept safe and secure against the risk of cyber attacks. Not only will operators in electricity, transport, water, energy, health and digital infrastructure be required to demonstrate a resilient cyber defence, they will also need to demonstrate that they have robust incident response plans in place.

The NIS Directive is not, however, limited to these organisations. It is important that UK technology firms establish whether they fall within the scope of the NIS Directive because it applies not only to essential services but to those who are significant suppliers to the operator of an essential service. This covers a multitude of organisations and extends to online marketplaces, online search engines and cloud computing services.

Although the potential fines of up to £17m make headline figures, the Department for Digital, Culture, Media and Sport has made it clear that they are a last resort. Where operators can demonstrate that they have conducted adequate risk assessments, enacted appropriate security measures, implemented robust incident response plans and are fully engaged with the process, these fines will not apply.

The key, therefore, is to be able to demonstrate that the NIS Directive is at the core of an organisation’s cyber defence strategy. From staff training to penetration testing; from incident management to business continuity planning and ongoing resilience: every stage needs to be addressed. Those already in the process of adopting GDPR into their business process will be some way towards the NIS Directive’s requirements, but it is important to know what additional steps need to be taken.

Professional support is an important and cost-effective way to manage this process. SRM has helped many organisations become ISO27001 certification ready, and can assist with Business Continuity and Disaster Recovery. With experience and expertise across a whole range of organisations and a sound understanding of the requirements of the NIS Directive, SRM’s consultancy team can steer and manage the process without wasting time or budget.

For more information see:

GDPR free live webinar: the roles of manual and automated penetration testing

ISO27001 Lead auditor and pre-audit preparation

GDPR Self Assessment Questionnaire

Posted 4 weeks ago on · Permalink