What is the NIS Directive?
Devised in 2016, the Network and Information Security (NIS) Directive is an EU-wide legislative act aimed at providing a baseline level of cyber security for critical infrastructure and service providers across all EU member states.
Each state is required to specify which organisations they consider to be an Operator of Essential Services (OES) to which the legislation would then apply- an ‘essential service’ typically being anything in the energy, transport, finance, health and water supply sectors. In conforming with the NIS Regulations, there can be some confidence across the EU that essential service operators have put sufficient security in place, and they will also be held accountable for keeping their services secure.
As well as more ‘traditional’ essential services, the directive also covers Digital Service Providers (DSPs) though with slightly reduced requirements- this applies to organisations providing digital services that are now an essential part of our lives, such as online marketplaces, cloud service providers and search engines.
As a directive, it essentially outlines a set of objectives that every EU member state must adopt within their own national legislation, allowing each nation to align the directive with any pre-existing frameworks or legislations and give some flexibility in how it is implemented. Regardless of how it was implemented however, nations had to transpose the directive with their own legislation by May 2018 in order to be compliant.
In compliance with the NIS Directive, all significant security incidents and breaches in any EU nations will be reported to the EU CSIRT network ensuring that resources can be pooled, knowledge shared and lessons learnt to protect critical services across the entire EU.
At the core of the NIS Directive are three mandates:
1. National capabilities
EU Member States must have as a minimum a certain set of cybersecurity capabilities, such as a national Computer Security Incident Response Team (CSIRT), engaging in cyber exercises or ‘war games’ and defining escalation paths for critical national security incidents.
2. Cross-border collaboration
EU Member States must share cyber security information with one another as part of the EU-wide CSIRT network, and the strategic NIS cooperation group.
3. National supervision of critical sectors
EU Member states must supervise the cybersecurity of each critical service provider it identifies, with proactive monitoring for OES, and reactive assistance for DSPs.
In the UK, the Cyber Assessment Framework (CAF) was created in 2018 to help support its implementation of the NIS Directive. Defining Cyber Security ‘outcomes’, the CAF essentially defines an ideal state of cyber security without going into specifics of how those outcomes should be achieved. These outcomes use Indicators of Good Practice (IGPs) to judge whether organisations have achieved the desired outcome or not, and therefore whether it would be seen as compliant against the NIS Directive legislations.
Now on version 3.0, the CAF has been adapted to be less specifically aimed at organisations to which NIS applies, and is now a more general framework that many more organisations can use to judge their cyber security preparedness, either by self-assessment or independent external scrutiny by a qualified regulatory organisation.