Securing essential services
With an increasing number of cyber threats targeting critical infrastructure, the importance of protecting operators of essential services, such as transportation, health, water and energy, has never been greater.
EU Directive 2016/1148, the Directive on the Security of Networks and Information Systems (the NIS Directive or Cyber Security Directive), came into force in July 2016 and was transposed into UK law as The Network and Information Systems Regulations 2018 (NIS Regulations) on 10 May 2018.
The NIS Directive is designed to improve security and resilience across the European Union by ensuring that operators of essential services and digital services providers have the necessary controls in place to minimise security risk.
NIS Directive Summary
What is the NIS Directive?
The NIS Directive is an EU-wide cyber security directive designed specifically to enhance the resilience of network and information systems. It requires member states to ensure that providers of critical infrastructure and services have appropriate security measures in place to manage cyber risk and maintain continuity. Member states are also required to designate one or more NIS competent authorities (CAs) to help oversee implementation of the Directive.
In the UK, the CAs responsible for enforcing the NIS Regulations include the Secretaries of State for Energy, Transport, Health and the Environment, and various devolved authorities such as the Department of Finance for Northern Ireland and the Welsh and Scottish Ministers.
Objective A: Managing security risk
- A.1 – Governance
- A.2 – Risk management
- A.3 – Asset management
- A.4 – Supply chain
Objective B: Protecting against cyber attack
- B.1 – Service protection policies and processes
- B.2 – Identity and access control
- B.3 – Data security
- B.4 – System security
- B.5 – Resilient network and systems
- B.6 – Staff awareness and training
Objective C: Detecting cyber security events
- C.1 – Security monitoring
- C.2 – Proactive security event discovery
Objective D: Minimising impact of cyber incidents
- D.1 – Response and recovery planning
- D.2 – Lessons learned/improvements
Audits & penalties
NIS security audits and penalties for non-compliance
Adherence to each NIS principle is judged on how well a total of 39 outcomes are met. Each outcome is assessed based upon Indicators of Good Practice (IGPs).
OESs will be regularly audited by their relevant competent authority to ensure they are fully compliant with the NIS Regulations, or at the very least, working towards compliance. RDSPs are not audited, but they are subject to investigation following any incident that could indicate non-compliance.
In the UK, non-compliant organisations may be fined up to £17 million. The largest fines will be imposed where an incident results in an immediate threat to life or significant adverse impact on the UK economy.
If an OES or RDSP also falls foul of the GDPR and/or DPA 2018, the organisation could be liable to receive separate sanctions. While the UK government has stated that OESs and DSPs should not be tried for the same offence twice, there may be reason for them to be penalised under different regimes if there are multiple, distinct instances of wrongdoing.
- A leading UK-based MDR company
- Red and blue team CREST CSOC expertise
- High-quality intelligence and actionable outcomes
- Quick and hassle-free service deployment
- An agnostic approach to technology selection
- Avg. >9/10 customer satisfaction, 95% retention rate
Get in touch
Complete the form for a prompt response from our team.