On 10 May 2018 the UK Government implemented new measures to protect the nation from cyber-attacks.
The UK Government has implemented new measures to protect the nation from cyber-attacks by introducing the EU directive on the security of Networks and Information Systems, referred to as the NIS Directive.
Organisations within the Networks and Information sector will have to prove they have taken cyber security measures as mandated by the directive. Organisations in the UK who are not compliant may be fined up to £17 million.
Why was the NIS Directive Implemented?
The NIS Directive aims to enhance cyber security across the European Union and the deadline for member states to introduce legalisation was 9 May.
The directive focuses on improving the security of network and information systems across the EU– including the essential services they support. These services are integral to the UK’s infrastructure – such as healthcare, transport, electricity and water supply. These are attractive targets for cyber criminals, evidenced by cyber security incidents like the 2015 attack on Ukraine electricity network and the 2016 attacks on the US water utilities.
Securing the UK’s network and information systems is therefore essential to prevent potentially significant damage to the economy and societal stability.
Which organisations does the NIS Directive apply to?
- Operators of Essential Services
- Digital Service Providers
The services in question are classed as those that provide:
- Support for economic and/or societal activities
- A service that is dependent on network and information systems such as:
- Ones used for automatic data processing of digital data
- Electronic communications networks
- Systems storing, processing, retrieving or transmitting data
- A service that would cause disruption if compromised.
The last point may result in the NIS Directive being applicable to some smaller companies but overall it is expected that it will be larger companies who are affected by this directive.
What measures must an organisation take to be compliant?
- Establish a governance framework for the security of networks and information systems
- Identify Risks with a risk assessment plan
- Ensure its workforce has undergone cyber security training and/or awareness training
- Perform an audit and relay the results of the security measures taken.
The National Cyber Security Centre provides guidance to assist Competent Authorities in meeting the NIS Directive’s security requirements. NIS also covers service availability that is broader than just cyber security, for example in the event of a flood.
What is a Competent Authority?
A Competent Authority has been designated for each of the sectors affected by the NIS Directive and these authorities will be responsible for the overarching governance and policing of this regulation.
Information on the Competent Authorities can be found on gov.uk.
NIS Competent Authorities, like the Department for Transport, are releasing sector specific guidance for implementation.
How does NIS differ from compliance standards?
The NIS Directive is different from all previous risk management and compliance exercises.
The threshold of what is good enough is not a tick box exercise, it is a moveable baseline set by the Competent Authority, and for cyber at least, supported by the NCSC based on threat and vulnerability intelligence, and Indicators of Good Practice mitigations.
The NCSC defined Cyber Assessment Framework (CAF)’s Indictors of Good Practice could change over time and will also be augmented for specific sectors by the Competent Authorities.
This ability to change thresholds is about effectiveness, not tick box compliance.
How can APMG help you achieve compliance?
APMG’s Cyber Defence Capability Assessment Tool (CDCAT®) is a cutting-edge cyber security assessment technology and service – developed by Dstl.
By performing comprehensive assessments of your organisation’s cyber security defences on a recurring basis - CDCAT® can assist with producing concrete evidence of the effectiveness of your organisation’s security posture. This information is crucial evidence, demonstrating the compliance of your organisation. This could be used to demonstrate you meet the requirements of the Competent Authority in potential enforcement circumstances.
CDCAT® identifies capability vulnerabilities in your organisation’s defences – enabling you to make informed, evidence-based decisions in sustaining this effective security posture and achieving NIS compliance to the Competent Authority requirements.