What is the NIS Directive?

Data Security Knowledge Base

Definition, Requirements, Penalties, Best Practices for Compliance, and More

Text

The Directive on security of network and information systems (NIS Directive) is the first piece of cybersecurity legislation passed by the European Union (EU). The Directive was adopted on July 6, 2016 and its aim is to achieve a high common standard of network and information security across all EU Member States. The Directive took effect in August 2016, from which point EU Member States have 21 months to integrate its requirements into their own national laws and an additional 6 months to identify the companies which are subject to NIS Directive compliance.

The NIS sets a range of network and information security requirements which apply to operators of essential services and digital service providers (DSPs). The “operators of essential services” referred to in the legislation include enterprises in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors. The NIS Directive requires each EU Member State to put together a list of organizations within those sectors who they consider to be essential service providers.

The Directive defines a digital service as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” The specific types of DSPs outlines in the Directive include cloud service providers, online marketplaces, and search engines. DSPs should be aware that the NIS Directive also applies to companies based outside of the EU whose services are available within the EU. These companies are obliged to assign an EU-based representative to act on their behalf in ensuring NIS Directive compliance. DSPs are, however, subject to a less stringent framework than the “operators of essential services” outlined in the Directive.

Requirements of the NIS Directive

Text

The NIS Directive includes a number of requirements around incident response and the implementation of technical security measures based on risk. The requirements are designed to improve cross-border cooperation in information and network security and foster a culture of risk management.

EU Security Network:

To improve cross-border cooperation, the Directive will create a network of Computer Security Incident Response Teams (CSIRTs) in each Member State. Member States are also required to designate National Competent Authorities (NCAs) and Single Points of Contact (SPoC) for cybersecurity monitoring, reporting, incident response, and other cross-border coordination. CSIRTs are also required to have access to “adequate resources and equipment” including a secure and resilient infrastructure. The CSIRTs from each Member State will have a range of tasks, including monitoring national security incidents, disseminating early warnings, alerts, and announcements about cybersecurity, providing dynamic risk analysis, and coordinating with CSIRTs from other Member States.

Penalties for Non-Compliance with the NIS Directive

Text

The NIS Directive states that the responsibility to determine penalties for non-compliance lies with the individual Member States and not the EU. The Directive does, however, state that penalties must be “effective, proportionate, and dissuasive.” Organizations that fail to comply with the NIS Directive are subject to reactive ex-post supervisory activities by NCAs.

Organizations may be asked to provide the materials and information needed to assess the security of their networks and information infrastructure. Unlike essential service providers, DSPs are not obligated to provide this information. It should be noted, however, that the Directive applies to data breaches and all other incidents which might impact the provision of essential services and DSP services.

Best Practices for NIS Directive Compliance

Text

There are a number of steps organization should take to ensure they remain in compliance with the NIS Directive.

Contact NCAs:

Organizations within the scope of the Directive should contact their Member State’s NCA to find out which authority to contact in the event of a security incident and also to figure out which body can sanction them in the event of non-compliance.

Liaise with CSIRTs:

Organizations should contact CSIRTs to obtain information about current security threats and get further clarity on cybersecurity issues.

Implement technical and organizational security measures:

The Directive requires organizations to implement a range of security measures in areas like system security, incident management, testing, and compliance with international standards. While the Directive is short on specifics, organizations should follow all industry cybersecurity best practices and look to meet other compliance regulations such as the GDPR, many of which have overlapping requirements. Organizations should also conduct risk assessments regularly and implement measures to mitigate identified risks.

Implement an effective security incident response process:

Incident reporting is a key part of the Directive. You should hone your own incident reporting process including things like number of users affected, duration of incident, geography, economic impact, and service disruption. Upon discovery of an incident, notification should be made to the NCA or CSIRT “without delay.”

Further Reading

Text

To learn more about the NIS Directive, check out the following resources: