DATA SECURITY KNOWLEDGE BASE

The Directive on security of network and information systems (NIS Directive) is the first piece of cybersecurity legislation passed by the European Union (EU). The Directive was adopted on July 6, 2016 and its aim is to achieve a high common standard of network and information security across all EU Member States. The Directive took effect in August 2016, from which point EU Member States have 21 months to integrate its requirements into their own national laws and an additional 6 months to identify the companies which are subject to NIS Directive compliance.

The NIS sets a range of network and information security requirements which apply to operators of essential services and digital service providers (DSPs). The “operators of essential services” referred to in the legislation include enterprises in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors. The NIS Directive requires each EU Member State to put together a list of organizations within those sectors who they consider to be essential service providers.

The Directive defines a digital service as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” The specific types of DSPs outlines in the Directive include cloud service providers, online marketplaces, and search engines. DSPs should be aware that the NIS Directive also applies to companies based outside of the EU whose services are available within the EU. These companies are obliged to assign an EU-based representative to act on their behalf in ensuring NIS Directive compliance. DSPs are, however, subject to a less stringent framework than the “operators of essential services” outlined in the Directive.

Requirements of the NIS Directive

The NIS Directive includes a number of requirements around incident response and the implementation of technical security measures based on risk. The requirements are designed to improve cross-border cooperation in information and network security and foster a culture of risk management.

• EU Security Network: To improve cross-border cooperation, the Directive will create a network of Computer Security Incident Response Teams (CSIRTs) in each Member State. Member States are also required to designate National Competent Authorities (NCAs) and Single Points of Contact (SPoC) for cybersecurity monitoring, reporting, incident response, and other cross-border coordination. CSIRTs are also required to have access to “adequate resources and equipment” including a secure and resilient infrastructure. The CSIRTs from each Member State will have a range of tasks, including monitoring national security incidents, disseminating early warnings, alerts, and announcements about cybersecurity, providing dynamic risk analysis, and coordinating with CSIRTs from other Member States.
• Member State Strategy: EU Member States are required to implement a national cybersecurity strategy defining security goals as well as relevant policy and regulations needed to enforce the strategy. The Directive requires that any strategy should include things like governance frameworks, response and recovery measures, public and private sector security cooperation planning, security awareness education programs, risk assessment plans, and lists of people and organizations involved in the strategy. Member States are also required to designate a minimum of one NCA to monitor the impact and implementation of the NIS Directive at national level. Each Member State SPoC must communicate with other Member State SPoCs to enhance cooperation as well.
• Cooperation Group: In addition to the other bodies established by the NIS Directive, there is a further requirement to create a Cooperation Group whose purpose is to facilitate collaboration around cybersecurity between Member States. The Cooperation Group is made up of representatives from Member States and the European Union Agency for Network and Information Security (ENISA) with a member of the European Commission acting as secretariat. The Cooperation Group is focused on planning, steering, and reposting on the implementation of the NIS Directive. The Group’s chief responsibilities include offering guidance to the newly-established CSIRTs network, helping Member States pinpoint which services should be categorized as “operators of essential services,” engaging with relevant bodies on security-related incidents and issues, sharing security best practices, and generally raising awareness on cybersecurity in the EU. The Group must also file a report every 18 months providing some detail on the level of cooperation taking place and the progress of NIS Directive implementation.
• Incident Reporting: Those organizations who qualify as DSPs under the Directive’s criteria must implement a range of risk management measures both technical and operational. DSP organizations must comply with the Directive’s incident reporting protocol, which requires that organizations notify “without undue delay” CSIRTs and other relevant bodies about any significant security incidents encountered.

Penalties for Non-Compliance with the NIS Directive

The NIS Directive states that the responsibility to determine penalties for non-compliance lies with the individual Member States and not the EU. The Directive does, however, state that penalties must be “effective, proportionate, and dissuasive.” Organizations that fail to comply with the NIS Directive are subject to reactive ex-post supervisory activities by NCAs.

Organizations may be asked to provide the materials and information needed to assess the security of their networks and information infrastructure. Unlike essential service providers, DSPs are not obligated to provide this information. It should be noted, however, that the Directive applies to data breaches and all other incidents which might impact the provision of essential services and DSP services.

Best Practices for NIS Directive Compliance

There are a number of steps organization should take to ensure they remain in compliance with the NIS Directive.

• Contact NCAs: Organizations within the scope of the Directive should contact their Member State’s NCA to find out which authority to contact in the event of a security incident and also to figure out which body can sanction them in the event of non-compliance.
• Liaise with CSIRTs: Organizations should contact CSIRTs to obtain information about current security threats and get further clarity on cybersecurity issues.
• Implement technical and organizational security measures: The Directive requires organizations to implement a range of security measures in areas like system security, incident management, testing, and compliance with international standards. While the Directive is short on specifics, organizations should follow all industry cybersecurity best practices and look to meet other compliance regulations such as the GDPR, many of which have overlapping requirements. Organizations should also conduct risk assessments regularly and implement measures to mitigate identified risks.
• Implement an effective security incident response process: Incident reporting is a key part of the Directive. You should hone your own incident reporting process including things like number of users affected, duration of incident, geography, economic impact, and service disruption. Upon discovery of an incident, notification should be made to the NCA or CSIRT “without delay.”

Further Reading

To learn more about the NIS Directive, check out the following resources:

• EU Directive on Cybersecurity Agreed
• New EU NIS Directive Introduced