The NIS regulations were enacted in May 2018 to implement the EU directive to achieve NIS compliance.
The NIS (Network and Information Systems) guidelines aim to guarantee the security of essential services concerning computer systems in important areas of the economy, such as transport, energy, water, health and digital infrastructure.
The strictest NIS directive applies to so-called “operators of essential services”, while a lenient framework applies to online marketplaces, online search engines and cloud computing service providers , as well as to designated in the law as “digital service providers” (DSP ).
Operators of essential services and DSPs are required to ensure the security of their networks and information systems and to report specific information security events to the relevant authorities, in the case of UK NIS regulations, the Information Commissioner’s Office (ICO).
The detailed concept of the NIS regulation/guideline
The EU NIS Directive (Directive on the Security of Networks and Information Systems) is the first national regulatory text cyber security law proposed by the European Commission.
Its objective is to provide the appropriate security measures for networks and information systems in all sectors of essential services and digital infrastructures in the EU.
On 10 May 2018, the NIS Directive was implemented into UK law as the Network and Information Systems Regulations 2018 – sometimes referred to as the “NIS Regulations”.
Who is required to adhere to the NIS Regulations?
The Regulations apply to the following two types of entities:
1. OES (Essential Services Operators)
SEOs are government or private sector organizations that rely on networks and information systems to provide an essential service to society that could be severely disrupted by a cyberattack. The energy, transport, water and health sectors all fall under this description. The majority of banking and financial services companies are exempt from the majority of the NIS regulation, as the Bank of England and the Financial Conduct Authority already apply high standards in finance.
2. RDSP (Relevant Digital Service Providers)
The NIS Rules also apply to three categories of entities providing digital services:
- online marketplace,
- online research agencies, and
- cloud computing services (including infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) providers).
RDSPs with less than 50 employees, a registered office outside the UK and/or an annual turnover of less than €10 million are exempt from the NIS regulation.
It should be noted that the regulation does not apply to DSPs classified as “micro or small enterprise” (companies with less than 50 employees and whose annual turnover and/or balance sheet total is less than 10 million euros). euros (approximately £8.7 million)).
What is the difference between the NIS regulation/guideline and the GDPR?
Many provisions of the NIS Directive and Regulation are in line with the General Data Protection Regulation (GDPR).
While the NIS Directive and Regulation apply only to Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSP), the GDPR extends to all organizations that process personal data.
Many organizations will have taken steps to ensure GDPR compliance, and such efforts can help meet both criteria simultaneously.
What appropriate and proportionate measures are required from OES and RDSP?
Here are the requirements for the OES and RDSP to be compliant:
- Protect essential services to prevent cybersecurity incidents by implementing proportionate security measures,
- Ensure continuity of service by taking appropriate prevention and mitigation measures in the event of an incident; and
- Notify their competent authority in the event of a serious security problem.
UK NIS Incident Reporting Provisions
Comparable to the UK GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, organizations must report “significant” or “substantial” security incidents to their relevant authorities without undue delay and, if possible, within 72 hours of becoming aware of them.
In the UK, relevant competent authorities are designated on a sector-by-sector basis, each setting its own incident reporting thresholds and criteria.
According to the Regulations, in deciding whether an incident is “significant”, OES must consider three factors:
- The impact of the disruption on the number of users;
- The period during which the disturbance occurred; and
- The extent to which an event has impacted a particular geographic region.
For DSPs, an event is considered “significant” if it results in:
- For more than 5 million hours of use, the service was unavailable;
- A infringe the confidentiality, integrity, availability or validity of data accessible via networks or information systems that concern more than 100,000 people;
- A danger to public safety, security or death; Where
- At least one user suffered a material loss of more than one million euros (around £860,000).
What are the cybersecurity obligations of the NIS directive?
The primary security mandate of the NIS is to “detect and manage threats to the security of networks and information systems in an acceptable and proportionate manner”. The procedures in question must be proportionate to the overall risk, including incident response, business continuity management, monitoring, auditing and testing, and compliance with applicable international standards.
Which competent authority is concerned?
Competent Authorities (CAs) are the entities that Member States appoint to oversee the implementation of the NIS. In the UK, the CAs responsible for implementing the NIS Regulations are divided into industry-specific CAs. These include the Secretaries of State for Energy, Transport, Health and the Environment, as well as various devolved authorities such as the Northern Ireland Department of Finance, as well as Welsh Ministers and Scottish.
Cybersecurity audits and assessment framework
OES compliance with the NIS Regulations should be verified by audits conducted by approved competent authorities.
The CAF, established by the National Cyber Security Center (NCSC), will help organizations assess themselves against 14 security principles and explain the levels of security allowed for organizations under the standards of the Regulations.
DSPs will not be audited but will be investigated if there is an event that could suggest non-compliance with the Rules.
How to comply with NIS 2018 regulations?
To ensure compliance, SEOs and DSPs should create a cyber resilience program that includes the following elements:
- Robust cybersecurity defenses proportionate to the threat,
- Appropriate tools and mechanisms to quickly respond to events and report them,
- International standards such as ISO 27001 and ISO 27035 provide excellent foundations for ensuring compliance with NIS regulations. According to Article 12 of the Regulation, the measures adopted by DSPs must “conform to international standards”.
- Cyber incident response management, business continuity management, and penetration testing can all help organizations increase their cyber resilience and comply with NIS regulations.
Consequences of non-compliance with NIS regulations/NIS directive
Each EU Member State and the UK must establish their own financial sanctions policies and take steps to ensure they are implemented.
Non-compliant organizations face fines of up to £17 million in the UK. The amount of the fine will be determined by the competent authorities.
Brexit and NIS regulations
In March 2019, the UK government published the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019, a regulatory instrument made under the European Union (Withdrawal) Act 2018. They will take effect on the twenty-first day following the release date.
These regulations do not make any significant changes to the OES or DSPs in the UK, but modify the NIS regulations to:
- Eliminate some of the NCSC foreign collaboration requirements;
- Eliminate references to service providers headquartered in the European Union;
- Currency converter euros to pounds sterling.
When the UK leaves the EU, DSPs that provide services to the EU may be required to appoint a representative located in the EU member state where they provide the majority of their services.
How Cyphere can help you comply with NIS regulations
- We can provide you with all the compliance resources you need, including consultation, training and tools.
- We have multiple teams that can perform penetration testing on your networks and systems, protecting you against evolving threats.
- We will help SMBs implement an effective security incident response plan to respond to NIS regulatory incident reports.
- We provide sound advice and tailor our services to your budget and business requirements.
- Our pricing structure is simple and open.
Contact us to discuss your cyber security or compliance with NIS regulations for your business.