Have you heard about the European Union's Network and Information Security (NIS) Directive, which is scheduled to enter into member state law in 2018? Maybe not. Both the world’s attention and appetite for IT security legislation has been overfed with all things General Data Protection Regulation (GDPR) over the past two years, leaving little limelight for its younger sibling. Yet despite slipping under the radar, its requirements will have profound consequences for those it applies to whether they know it or not. Below are ten things you should know about the NIS directive, how it differs from the GDPR, its requirements and its application:
1. It’s a Directive, not a Regulation
With the noise generated by the GDPR, many will have brushed up on the European law glossaries recently, noting that the NIS is a directive and not a regulation. Unlike a regulation, which is absorbed into member state law in its original form, a directive is an instruction to member state governments to implement their own laws in the spirit of the directive. The UK's outgoing Data Protection Act 1998 was the result of the European Data Protection Directive 1995.
2. Brexit Changes Nothing
Much has been made of the UK's exit from the European Union and how that affects incoming legislation during the negotiation period. Like the GDPR, the NIS will begin to affect member states in 2018 – before the UK has officially left the EU. Despite the grey area, the government of the UK has confirmed that NIS will be transposed into local law at the expected timeframe despite an uncertain future.
3. What is Its Purpose?
The NIS directive aims to improve the cybersecurity capabilities at a national level and foster better communication across EU member states. This will involve each member state adopting a national strategy on achieving a high level of cybersecurity for networks and information systems across essential services.
4. A Focused Scope
The NIS is smaller in its scope than the GDPR and will be applicable to organizations operating in critical verticals, sometimes referred to as CNI (Critical National Infrastructure). This includes energy, transport, banking, financial market infrastructures, health, water, and digital infrastructure. The NIS categorizes two types of target organizations:
- Operators of Essential Services – OoESs are to be identified by member states by no later than Q4 2018. They will be determined based on whether the entity provides a service that is essential for the maintenance of critical societal/economic activities, the provision of that service depends on network and information systems, and a security incident would have significant disruptive effects on the provision of the essential service.
- Digital Service Providers – A DSP (Digital Service Provider) is defined as a person or organization offering a digital service at a distance which could cause widespread disruption if unavailable to an OoES (Operator of Essential Services). Specifically referred to in the NIS directive are online marketplaces, cloud computing services and online search engines.
5. Security Obligations and Breach Notifications
Much like the GDPR, there are obligations for OoESs and DSPs to implement “state of the art” technologies to manage the security risks of their networks and systems, with mandatory breach notifications to NCAs (National Competent Authorities) and CSIRTs (Computer Security Incident Response Teams) in the event of an substantial or significant incident.
6. Appointment of an/a NCA(s)
The directive requires each member state to designate one or more NCAs (National Competent Authority) that will monitor the application of the NIS at a national level. In the case of multiple NCAs, each NCA will be assigned one or more sectors to achieve a clear jurisdiction. In either case, each member state will need to nominate a SPoE (Single Point of Contact) that will liaise with other member states and CSIRTs on behalf of all NCAs.
7. The CSIRTs
Computer Security Incident Response Teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incidents. As with the NCAs, a Member State may designate multiple CSIRTs. In addition, the NIS Directive establishes a network of CSIRTs in which each Member State CSIRT must participate. This network’s duties include exchanging information about security incidents and providing member States with support in addressing cross-border incidents.
8. Enforcement is Relative
Unlike the GDPR, the ability to punish those who are non-compliant is flexible based on the Member State. The directive allows NCAs to forcibly request information from DSPs and OoESs in order to assess their implementation of NIS and order corrective action. However, when it comes to penalties, it permits member states to develop their own sanctions so long as they are proportionate, effective and dissuasive.
9. Extra-Territorial Reach
DSPs and OoESs are deemed to be under the jurisdiction of the NIS directive where their main establishment is. If they are not based in an EU or EEA member state and offer in-scope services, they must still comply with the directive and appoint a representative based in an EU or EEA member state.
10. What’s Next?
The directive has set out clear timeframes for Member States to follow. Based on the information available at the time of writing, the directive is expected to be accepted into Member State law by Q2 2018. Once transposed into national law, Member States will have up to six months to identify their local OoESs.
NIS vs. GDPR
Considering the timing and its focus on network and information security systems, it is natural to compare the NIS directive and the GDPR. However, the NIS is both narrower and broader than the GDPR in different ways. For example, the NIS directive refers to wider system-level defences and risk mitigation rather than personal information and its relative collection and processing. Yet it is also directed toward specific organizations, in particular, those that are deemed to perform or provide critical services. In either case, it will be a reality for some that they need to comply with both, a tough task for compliance officers in the coming twenty-four months. It is easy to point at meddling European politicians as introducing reams of red-tape and costly requirements, but we have all seen the consequences of critical services being unavailable. Examples include British Airways computer systems being non-operational for a number of days leading to large-scale disruption and the NHS having to turn away patients because of the WannaCry ransomware outbreak. In today’s world, it not always about how strong your army is, how tough your immigration policy is, or how high you can build a wall. It is about the cyber resilience of those services we all rely on. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.