New NIS Directive Comes into Effect in the UK
New EU directive to ensure essential infrastructure remains running in the event of a cyber attack.
The EU directive on the security of Networks and Information Systems Directive (NIS) came into effect on May 10 2018.
NIS was adopted by the European Parliament in July 2016, since then nation members have had to become compliant by today’s deadline. The directive provides legal measures to boost the overall level of network and information system security.
It requires member states to sharpen up their cybersecurity defences by implementing a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and National Competent Authorities (CAs). Furthermore, they must set up a Cooperation Group to facilitate strategic cooperation and the exchange of information. They must also participate in a CSIRT network to quickly and effectively share information about security risks and incidents.
Protecting the UK’s Critical Organisations
In the wake of a growing number of cyberattacks targeting organisations such as the NHS, member states will be required to identify their critical organisations or Operators of Essential Services (OES).
According to the UK Government’s consultation document, the UK’s OES category is likely to include; suppliers of drinking water, digital infrastructure, the health sector, air, marine, road and rail transport, cloud services, online marketplaces and search engines.
Sectors such as finance and civil nuclear are considered sufficiently protected by existing measures. According to the National Cyber Security Centre (NCSC): “Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority.”
The NCSC’s Role in the Implementation of NIS Directive
The NCSC will have a non-regulatory role in NIS but will provide technical support, advice and guidance to other UK government departments, devolved administrations, CAs and OES to help them be compliant. It will support CAs to enable them to adapt NIS principles for use in their sectors and help them to plan and undertake assessments using a Cyber Security Framework.
The NCSC will act as a single point of contact for engagement with EU partners on NIS, coordinating requests for action or information and submitting annual incident statistics and will take on the responsibilities of CSIRT.
NCSC said: “The implementation of the NIS Directive is an opportunity to put mechanisms in place that drive real improvements to national cybersecurity. NCSC is committed to working constructively with CAs and OES to help ensure that NIS regulatory requirements are defined and used to promote and support effective cyber risk management.”