The NIS Regulations were enacted in May 2018 to implement the EU Directive to achieve NIS compliance.
The NIS (Network and Information Systems) guidelines are intended to safeguard the security of essential services concerning information technology systems in important areas of the economy, such as transportation, energy, water, health, and digital infrastructure.
The strictest NIS directive applies to so-called ‘operators of essential services,’ while a lenient framework applies to online marketplaces, online search engines, and cloud computing service providers, together with designated to in the Act as ‘digital service providers’ (DSPs).
Both operators of essential services and DSPs are required to keep their networks and information systems safe and to report specific information security events to competent authorities, in the case of UK NIS regulations, the Information Commissioner’s Office (ICO).
The detailed concept of NIS regulations/ directive
The EU’s NIS Directive (Directive on network and information system security) is the first piece of national cyber security law proposed by the European Commission.
Its objective is to provide the appropriate security measures for networks and information systems throughout the EU’s essential services and digital infrastructure sectors.
On 10 May 2018, the NIS Directive was implemented into UK legislation as The Network and Information Systems Regulations 2018 – sometimes referred to as the ‘NIS Regulations’.
Who is required to adhere to the NIS Regulations?
The Regulations apply to two types of following entities:
1. OES (Operators of Essential Services)
OESs are governmental or private sector organisations that rely on network and information systems to deliver a critical service to society that might be severely interrupted by a cyber attack. The energy, transportation, water, and healthcare sectors all come under this description. The majority of banking and financial services firms are exempt from the majority of the NIS Regulation, as the Bank of England and Financial Conduct Authority already enforce high standards in finance.
2. RDSP (Relevant Digital Service Providers)
The NIS Regulations also apply to three categories of entities providing digital services:
- online marketplace,
- online search agencies, and
- cloud computing services (including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) providers).
RDSPs with less than 50 employees, a headquarters outside the United Kingdom, and/or an annual turnover of less than €10 million are exempt from the NIS Regulations.
It should be noted that the Regulations do not apply to DSPs classified as’micro or small enterprise’ (companies with less than 50 employees and an annual revenue and/or balance sheet total of less than €10 million (about £8.7 million)).
What is the difference between the NIS regulations/ directive and GDPR?
Numerous provisions of the NIS Directive and Regulations are consistent with the General Data Protection Regulation (GDPR). UK’s Data Protection Act covers 8 principles (DPA) in a similar manner under core privacy principles.
While the NIS Directive and Regulations apply solely to operators of essential services (OES) and relevant digital service providers (RDSP), the GDPR extends to all organisations that handle personal data.
Many organisations will have taken steps to ensure GDPR compliance, and such efforts may assist in meeting both criteria concurrently.
Which appropriate and proportionate measures are required from OES and RDSP?
The following are the requirements for OES and RDSP to achieve compliance:
- Protect essential services to prevent cyber security incidents by implementing proportionate security measures,
- Assure service continuity by taking appropriate preventative and mitigation measures in the event of an incident; and
- Notify their relevant competent authority in the event of a severe security issue.
Incident reporting provisions by the NIS UK Law
Comparable to UK GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018, organisations must report “significant” or “substantial” security incidents to their competent authorities without undue delay and, where feasible, within 72 hours of becoming aware of them.
In the United Kingdom, relevant competent authorities are designated on a sector-by-sector basis, with each setting its own incident reporting thresholds and criteria.
According to the Regulations, while deciding whether an incident is “significant,” OES must examine three factors:
- The disruption’s impact on the number of users;
- The time period during which the disruption occurred; and
- The extent to which an occurrence has impacted a particular geographical region.
For DSPs, an occurrence is considered “significant” if it results in:
- For more than 5 million user hours, service was unavailable;
- A breach of the confidentiality, integrity, availability, or validity of data accessible through networks or information systems that affects more than 100,000 people;
- A danger to public safety, security, or death; or
- At least one user has suffered a material loss of more than €1 million (about £860,000).
What obligations does the NIS Directive have in terms of cyber security?
NIS’s primary security mandate is to “detect and manage the threats to the security of network and information systems in an acceptable and proportional manner.” The procedures in issue should be proportionate to the entire risk, including incident response, business continuity management, monitoring, auditing, and testing, as well as compliance with applicable international standards.
Who is the relevant competent authority?
The Competent Authorities (CA) are the entities that member states nominate to monitor the implementation of the NIS. In the United Kingdom, the CAs charged with implementing the NIS Regulations are divided into industry-specific CAs. These include the Secretaries of State for Energy, Transport, Health, and the Environment, as well as various devolved authorities such as Northern Ireland’s Department of Finance, as well as Welsh and Scottish Ministers.
Audits and the Cyber Assessment Framework
The compliance of OES with the NIS Regulations shall be checked by audits undertaken by approved competent authorities.
The CAF, established by the NCSC (National Cyber Security Centre), will assist organisations in assessing themselves against 14 security principles and will explain the permissible security levels for organisations in accordance with the Regulations’ standards.
DSPs will not be audited but will be investigated if there is an event that may suggest non-compliance with the Regulations.
How to comply with the NIS regulations 2018?
To ensure compliance, OES and DSPs should create a cyber resilience programme that includes the following:
- Cyber security defences that are robust and proportionate to the threat,
- Appropriate tools and mechanisms for rapidly responding to and reporting events,
- International standards such as ISO 27001 and ISO 27035 provide excellent foundations for ensuring compliance with the NIS Regulations. According to Section 12 of the Regulations, the measures adopted by DSPs must be “consistent with international norms.”
- Cyber incident response management, business continuity management, and penetration testing may all assist organisations in increasing their cyber resilience and complying with the NIS Regulations.
Consequences of non compliance with the NIS Regulations/NIS Directive
Each EU Member state as well as the UK must establish their own financial penalty policies and take steps to guarantee their implementation.
Non-compliant organisations face fines of up to £17 million in the United Kingdom. The fine amount will be determined by the appropriate authorities.
Brexit and the NIS Regulations
In March 2019, the UK government issued the Network and Information Systems (Amendment etc.) (EU Exit) Regulations 2019, a statutory instrument made pursuant to the European Union (Withdrawal) Act 2018 . They will take effect on the twenty-first day following the date of exit.
These Regulations make no significant changes to OES or DSPs in the United Kingdom, but alter the NIS Regulations to:
- Eliminate some of the NCSC’s foreign collaboration requirements;
- Eliminate references to service providers headquartered in the European Union;
- Euros to British pounds currency converter.
When the UK exits the EU, DSPs that provide services to the EU may be required to appoint a representative located in the EU member state where they provide the majority of their services.
How Cyphere may assist you in complying with NIS Regulations
- We can provide you with all of the compliance resources you need, including consultation, training, and tools.
- We have multiple teams that can conduct penetration tests on your networks and systems, protect yourself against evolving threats.
- We will help SMEs to implement an effective security incident response plan to address NIS regulations incident reporting.
- We provide sound advise and tailor our services to your budget and company requirements.
- Our pricing structure is straightforward and open.
Get in touch to discuss your cyber security or NIS regulations compliance for your business.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.