Thinking About : digital service providers should prepare for the NIS Directive

Many organisations are focused on the EU General Data Protection Regulation(GDPR), but this May sees another EU legislation coming into effect: the Directive on security of network and information systems (NIS Directive).

In the UK, the NIS Directive applies to operators of essential services (OES) and digital service providers (DSPs) involved in:

• Drinking water supply and distribution;
• Energy;
• Digital infrastructure;
• The health sector; and
• Transport.

There are slight differences in the way OES and DSPs need to prepare for the Directive, but guidance is coming thick and fast.

Last year, the European Commission published a draft implementation regulationfor DSPs, which Elizabeth Denham, the UK’s information commissioner, commented on. She criticised “the overly rigid parameters” of the regulation, which “may be undesirable and may lead to a failure to report incidents which nevertheless have a substantial impact on the users of the service and which should, by the nature of the impact, be considered for regulatory action”.

The European Commission has since approved the final draft, and the UK government has released the findings of a public consultation on how it should implement and regulate the NIS Directive. IT Governance has also published a compliance guide.

Each of these documents will help you understand where the NIS Directive fits into the cyber security landscape. DSPs will have to be particularly organised, as they are expected to define their own information security measures proportionate and appropriate to the potential risks they face. These measures must address:

Information security

• The systematic management of network and information systems, which will require organisations to map their information systems and set up appropriate policies, covering risk analysis, human resources, security of operations, security architecture, system lifecycle management and, where applicable, encryption.
• Physical and environmental security, protecting against environmental damage and accidental or malicious actors.
• Security policies to ensure that service functionality supplies are accessible.
• Access control measures to ensure that physical and logical access is “authorised and restricted based on business and security requirements”.

Incident management

• Detection processes and procedures, which should be regularly monitored to ensure that they are up to data and effective.
• Processes and policies for reporting vulnerabilities and security incidents.
• Procedures for documenting the response to cyber security incidents.
• Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.

Business continuity

• Contingency plans based on a business impact analysis, ensuring the continuity of services.
• Disaster recovery plans appropriate to the potential risks.

Monitoring, auditing and testing

• Planned monitoring to assess whether information systems are working as they should.
• Auditing and measurements to monitor whether the organisation is complying with relevant standards or guidelines.
• Processes aimed at revealing flaws in security systems, covering both technology and the people involved in the security system.

Get started with the NIS Directive

Those who want help preparing for the NIS Directive should consider our cyber resilience solutions. An effective cyber resilience strategy can mitigate the risk of cyber incidents and enables you to respond to attacks, containing any damage and allowing you to promptly return to ‘business as usual’.