What Is the NIS Directive?According to the NIS Directive, EU Member States should adopt a common set of baseline security requirements to ensure a minimum level of harmonized security measures across Member States and to enhance the overall level of security of operators providing essential services (OES) and digital service providers (DSP) in the EU. The NIS Directive sets three primary objectives:
- to improve the national information security capabilities of the Member States
- to build mutual cooperation at EU level
- to promote a culture of risk management and incident reporting among actors (OES and DSP) of particular importance for the maintenance of key economic and societal activities in the Union.
- ensure that Member States have in place a national framework so that they are equipped to manage cybersecurity incidents and oversee the application of the Directive. This includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a National Competent Authority (NCA), or competent authorities.
- set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents as well as sharing information about risks.
- ensure that organizations within vital sectors which rely heavily on information networks, for example, utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES are required to take appropriate and proportionate security measures to manage risks to their network and information systems, and they are required to notify serious incidents to the relevant national authority. The participation of industry is therefore crucial in the implementation of the directive.
- The Directive defines an online search engine as “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query…and returns links in which information related to the requested content can be found.”
- The Communication on the NIS Directive, which is intended to help Member States implement the NIS Directive, noted there are three main types of cloud service models: Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), and Platform-as-a-Service (PaaS).
- The Directive makes clear that online marketplaces may include the processing of transactions, aggregations of data, profiling of users, and application software stores.
NIS Directive ApplicabilityAlthough NIS Directive is a European piece of legislation, it has global implications. For instance, the NIS applies to U.S. companies with operations in Member States. This means that U.S. companies may have to implement security requirements, turn over operational data to allow national authorities to assess their compliance, and perform required remediation measures. In addition, if a DSP has a primary business establishment in one Member State and networks and systems located in other Member States, then the DSP should register with the national authority of its main location, and the national authorities of other Member States will cooperate with that national authority. If a company is not established in the EU but offers services within it, the DSP must designate a representative in the EU where its services are offered.
Compliance with the NIS Security RequirementsMeeting the objectives and the security requirements of the NIS Directive can be a tenuous exercise. Information security audits and self–assessment/management exercises are the two major enablers to achieve this objective. The compliance assessment performed by national competent authorities (NCA) is mentioned in articles 14, 15 and 16 of the NIS Directive and defines risk assessment and auditing obligations for the OES and DSP respectively.
- Article 14: “Member States shall ensure that operators of essential services take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed.”
- Article 15: “Member States shall ensure that the competent authorities have the powers and means to require operators of essential services to provide (b) evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and, in the latter case, to make the results thereof, including the underlying evidence, available to the competent authority.”
- Article 16: “Member States shall ensure that digital service providers identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services referred to in Annex III within the Union. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements: a) the security of systems and facilities, b) incident handling, c) business continuity management, d) monitoring, auditing and testing, and e) compliance with international standards.”
- by both OES and DSP regarding the NIS Directive5 security requirements
- as the baseline for building an information security program to manage risk and reduce vulnerabilities
- to define and prioritize the tasks required to enhance security into IT-security risk-based environments