The NIS Directive
What it is and who is affected
The UK will be implementing the EU directive on the security of Networks and Information Systems (known as the NIS Directive) in May this year.
Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.
The Directive came into force in August 2016. EU member states – including the UK – have until May 2018 to translate it into national laws, and a further six months to identify the "operators of essential services and digital service providers" it applies to.
Failure to do so is likely to result in punitive fines, similar to the General Data Protection Regulation (GDPR) which becomes law during the same month.
The aim of the NIS Directive is to ensure UK operators in essential services are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards. It aims to:
- Improve cyber security capabilities at a national level
- Increase co-operation on cyber security among EU member states
- Introduce security measures and incident reporting obligations for “Operators of Essential Services” in critical national infrastructure (CNI) and “Digital Service Providers (DSP).”
OES include energy, transport, banking, water, healthcare, and digital infrastructure, while DSP include any legal person that provides a digital service, such as search engines, online market places and Cloud computing services.
Details on who is affected and how to comply are available on the NCSC website: https://www.ncsc.gov.uk/guidance/introduction-nis-directive