May 9, 2018 was the deadline for the new Network and Information Security (NIS) Directive to be transposed into EU member states’ national legislation. This new regulation is aimed at creating a base level of security for organizations that are operating essential services within the EU. The primary sectors covered by this regulation are: energy providers, transport, banking, financial services infrastructure, health, water, and digital infrastructure providers. Organizations in this scope are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.
This EU directive was passed on July 6, 2016, and member states were given 21 months to transpose the directive into their national legislation, which is due today. While much of the preparation over the past two years was concerned with the building of capabilities at a member-state level, it is only now that the directive is going to start impacting your company directly.
You will start to find out over the next six months whether you are in scope of the directive (by November 9, 2018 at the latest). Here are some of the key ways in which you will be impacted:
Financial penalties for breaches of the directive. There are penalties for breaches impacting essential services. The UK’s GBP 17 million maximum penalty has already made headlines for its size and scale. The size of the fine is not consistent across the EU, as each member state determines the maximum level of fine it will levy.
Mandatory security breach notification. Organizations will need to notify their designated competent authority of any breach that impacts the services they operate, not just those impacting personal data. Timeframes have not been specified, but some are suggesting mirroring the GDPR 72-hour breach notification requirement.
Some of your breach data will be shared to help inform others. The breach data received by operators may be distributed to other EU member states through threat intelligence sharing channels. This sharing of information to help other, similar operators is a new and potentially interesting expansion that could take cross-EU cyber cooperation up a level.
You may need to adjust or implement new security controls. The directive calls for a base level of security controls to be implemented, dependent on the assessment of the key risks facing an organization’s services.
You will need to take steps to manage your supply chain. While not directly in the scope of the NIS Directive, operators of essential services are expected to assure themselves that their supply chain abides by the same standards that they do.
Digital service providers are particularly impacted. For the first time, there is an explicit recognition in cyber regulation that many companies and citizens are highly reliant on cloud computing services and digital search facilities. This obliges some of the largest American-based organizations providing software-as-a-service (SaaS) to comply with the NIS Directive.
The good news is that most organizations will already have most of what is required in place.
I have some concerns about the way that the directive is being applied across Europe, which I think creates potential difficulties for organizations impacted by it:
I will be undertaking research later in the year to understand how organizations are getting on with NIS Directive implementation and how member states are applying it.
The original Forrester Blog is here. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.