Cybersecurity legislation in the EU – What is the NIS Directive?

May 2018 is a month that sticks out in the calendars of security professionals across Europe, and not only because the widely publicised General Data Protection Regulation (GDPR) comes into force. In an increased drive for enhanced cyber security of critical national infrastructures, the Directive on Security of Network and Information Systems (commonly known as the NIS Directive) will be implemented, seeking to improve the standards of cybersecurity within the continent.

The NIS Directive seems to have escaped much of the limelight in the build up to its implementation, with the GDPR frequently receiving most of the media’s attention. That could be down to a lack of attacks against critical national infrastructures, as recent revelations from the UK’s National Cyber Security Centre revealed that it has prevented over a thousand cyberattacks in the last year, none of which were aimed at such technologies.

But there have been many examples of these attacks within Europe and further afield, with experts now predicting that attacks on critical infrastructures are set to increase by 100% over the next two years, due to the rise of internet connected devices and a digital skills shortage. Now is therefore the time to start raising more awareness of the NIS Directive, and to begin preparing for its implementation.

Reassessing security to ensure NIS compliance

The NIS Directive has been positioned as the first true piece of cybersecurity legislation passed by the EU. It is focussed on “operators of essential services”, covering network and operational technology (OT) security in the energy, telecommunications, health and transport sectors; critical services to our modern lives.

So, what do the operators of these essential services need to know? The directive states those industries must “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operation”. This should include strong user authentication and security controls, proactive monitoring for new threats, better training regimes and response drills, clear lines of responsibility within an organisation and throughout its supply chain and regular threat modelling.

And what about the repercussions for non-compliance? Fines of up to €20m, or 4% of annual turnover, whichever is the greater. However, given the current threat landscape that exists, penalties should not be the motivating factor for ensuring compliance.

The main purpose of the directive is to encourage good security practice. That is why, rather than perceiving the NIS Directive as a regulatory burden, it should be recognised as an excellent opportunity to reassess whether or not security policies and procedures meet the demands of the increasingly connected modern world. If these processes are not up-to-date, now is the time to re-assess them in order to mitigate the threat of a potential breach.

Discover Applied Risk’s Risk and Vulnerability Assessment (RVA) to ensure your business is prepared for the incoming regulations.