The EU Network and Information Security (NIS) Directive

The EU Network and Information Security (NIS) Directive sets out the first EU-wide rules on cyber security. This is in addition to the new requirements for data protection as detailed in the General Data Protection Regulation (GDPR).

Among other provisions, the Directive requires operators of essential services (private or public organisations that provide services in critical sectors such as energy, transport, banking, finance and health) and digital service providers (online marketplaces, search engines and Cloud computing services) to implement appropriate security measures to protect, and ensure the continuity of, the network and information systems used to support “essential services”.

The Directive entered into force in August 2016. EU member states – including the UK – have until May 2018 to translate the Directive into national laws, and a further six months to identify the “operators of essential services and digital service providers” it applies to.

Penalties for non-compliance will be “effective, proportionate and dissuasive”.

 

The NIS Directive requirements

1. Improving national cyber security capabilities

   Member states must adopt national NIS strategies that define strategic objectives and appropriate policy and regulatory measures.

   They must also designate “national competent authorities” to monitor the application of the Directive, and set up Computer Security Incident Response Teams (CSIRTs) to handle incidents and risks.

2. Increasing cooperation between EU member states

   The Directive establishes a cooperation group and a network of national CSIRTs.

   The cooperation group will comprise representatives of member states, the EU Commission and ENISA (the European Union Agency for Network and Information Security), with the Commission acting as secretariat.

   The CSIRTs network will comprise representatives of member states’ CSIRTs and CERT-EU (the Computer Emergency Response Team for the EU institutions, agencies and bodies), with the Commission participating as an observer and ENISA acting as secretariat. The UK’s computer security incident response team, CERT-UK, was formed in 2014.

3. Risk management and incident reporting obligations for operators of essential services and digital service providers

   Operators of essential services

   Operators of essential services must notify serious incidents to the relevant national authority and take appropriate technical and organisational security measures. These measures must be proportionate to identified risks and include “documented security policies”. Evidence of their implementation – such as the results of an independent audit – must also be maintained.

   The CPNI (Centre for the Protection of National Infrastructure) has identified 13 sectors that comprise the UK’s national infrastructure, and it is likely that this will form the basis of the UK’s definition of “essential services” for the purpose of the Directive.

   Digital service providers

   Digital service providers must also notify the relevant national authority of serious incidents and take appropriate technical and organisational security measures. These measures must be proportionate to identified risks and take into account, among other considerations, business continuity management and compliance with international standards.

 

International standards and NIS Directive compliance

Article 19 of the Directive states that, for operators of essential services and digital service providers alike, “Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.”

The only relevant international standards against which organisations can achieve independently accredited certification are:

• ISO 27001, which sets out the requirements for a risk-based ISMS (information security management system), and
• ISO 22301, the international standard for a BCMS (business continuity management system).

 

IT Governance NIS products and services

IT Governance has more than a decade’s experience helping organisations all over the world to carry out governance, risk management and compliance projects. We’ve led more than 400 successful ISO 27001 certification projects, and offer a 100% guarantee of successful certification.

Here are a few ways in which we can help meet your NIS Directive compliance needs.

• Consultancy

  • ISO 27001 packaged solutions
    IT Governance has created six ISO 27001 consultancy packages that combine the products and services you need to implement the Standard at a speed and for a budget that is appropriate for your needs and preferred project approach.

  • ISO 22301 consultancy
    Our business continuity consultants can assess your current BCM plans, policies and procedures, and develop an executive report containing prioritised recommended activities and solutions aligned with ISO 22301. Fixed-price Health Check and FastTrack packages are also available.

  • Incident response
    IT Governance’s Cyber Security Incident Response consultancy service can help you develop the resilience to protect against, remediate and recover from a wide range of cyber incidents, and is based on best-practice frameworks developed by CREST, as well as ISO 27001 and ISO 27035 (the international standard for cyber incident response).

• Documentation toolkits Creating documentation for your management system is never easy, and can run to hundreds of pages. IT Governance’s documentation toolkits contain fully customisable policies and procedures that have been written by our consultants to comply with international standards.

  • ISO 27001
    The ISO 27001 ISMS Documentation Toolkit provides you with a comprehensive set of pre-written ISMS documents that comply with ISO/IEC 27001:2013.

  • ISO 22301
    The ISO 22301 BCMS Implementation Toolkit contains expert guidance and consultant-created content to help you implement an ISO 22301-compliant BCMS quickly and easily, and mitigate the effects of unplanned business disruptions.

• Books
  IT Governance’s publishing arm, ITGP, sources and publishes a wide range of IT GRC books, from pocket guides to implementation manuals. Click here for cyber resilience titles >>

• Software
  vsRisk™ is the industry-leading ISO 27001-compliant risk assessment tool. Proven to save huge amounts of time, effort and expense when tackling complex risk assessment, vsRisk delivers an information security risk assessment quickly and easily.

• Training
  • The ISO 27001 Learning Pathway will equip you with the knowledge and skills required to plan, implement, maintain and audit a best-practice ISMS in your organisation.
  • The ISO 22301 Learning Pathway provides delegates with the knowledge and skills to implement and audit an ISO 22301-compliant BCMS.

  All courses are available in classroom and Live Online formats.

• Penetration testing
  

  Penetration testing is the most effective way of identifying the exploitable vulnerabilities in your company’s Internet-facing applications so that you can take steps to reduce your exposure to cyber attack.

  IT Governance is a CREST member company, meaning that clients can rest assured that our penetration tests will be carried out to the highest standards by qualified and knowledgeable individuals.

 

To discuss your NIS Directive compliance requirements, please call us on 00 800 48 484 484 or email servicecentre@itgovernance.asia.