<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Everything you need to know about the NIS Directive

Topics: European Union, IT Security, NIS, Incident Response, Risk Mitigation, Critical National Infrastructure, NIS Directive

Posted: 04 July 2018

Everything you need to know about NIS Directive, security of network and information systems

Hot on the heels of The GDPR (General Data Protection Regulation), yet enforced just fifteen days before, the directive on security of network and information systems (NIS) has been created to achieve a high, common level of network and information systems security across the European Union.

Who does the NIS Directive apply to?

There are two categories of organisation which the NIS has targeted:

  • - Operators of Essential Services (OES) - that are established in the EU.
  • - Digital Service Providers (DSPs) - that offer services to persons within the EU1.

These have been chosen because of their criticality to everyday life and because of their heightened level as a target to cyber attackers.

Note: DSP's who are smaller than 50 employees or have an annual turnover of less than €10 million are obliged to follow the NIS directive.

[You may also be interested to read "4 NIS Directive Services VAR's can provide to their Customers"]


What is an Operator of Essential Services (OES)?

Operators of Essential Services (OES)
include utility providers and other critical infrastructure providers who have a heavy reliance on information technology and connectivity to the internet. Our daily reliance on their availability has made them targets of both cyber attackers who wish to exploit them, and regulators who wish to keep them online.

Examples of OES' include:

  • - Power and electricity companies.
  • - Transportation companies e.g train and bus operators.
  • - Healthcare organisations.
  • - Water and gas companies.
  • - Internet service providers and telecommunication companies.


What are the NIS Directive Requirements for an OES?

As this is a directive, discrepancies between member states based on interpretation or requirement can exist. In the case of an OES, the UK government has published a list of 14 security principles which must be adhered to:

Objective A - Managing security risk:

  • A.1 Governance
  • A.2 Risk management
  • A.3 Asset management
  • A.4 Supply chain

Objective B - Protecting against cyber attack:

  • B.1 Service protection policies and procedures
  • B.2 Identity and access control
  • B.3 Data security
  • B.4 System security
  • B.5 Resilient networks and systems
  • B.6 Staff awareness and training

Objective C - Detecting cyber security events:

  • C.1 Security monitoring
  • C.2 Anomaly detection

Objective D - Minimising the impact of cyber security incidents:

  • D.1 Response and recovery planning
  • D.2 Improvements

Satisfactory adherence to these 14 security principles will be monitored and evaluated via audits carried out by designated competent authorities in the UK; or other member state.


What is a Digital Service Provider (DSP)?

Digital Service Provider (DSP) is defined by the directive as being "for remuneration, at a distance, by electronic means and at the individual request of a recipient of services". Examples include:

  • - Search engines such as Google.
  • - Cloud hosting providers such as AWS and Microsoft Azure.
  • - Online marketplaces such as Amazon or eBay.

In the UK, DSP's have to register with the Information Commissioner's Office if they are offering services into the UK, even if they are not established there, as they must for all EU member states in which they offer services.


What are the NIS Directive Requirements for a DSP?

DSP's are required to ensure a baseline level of security which is appropriate to the risks inherent in offering their service or services. This is expected to include:

  • - The security of their systems and facilities e.g firewalls, anti-virus software and patching.
  • - Incident handling and response planning.
  • - Business continuity and backup management.
  • - System and network monitoring, auditing and logging.
  • - Testing and vulnerability assessment.
  • - Compliance with international standards such as ISO 27001.

The directive gives some freedom in choice to DSP's to “take technical and organisational measures they consider appropriate and proportionate to manage the risks”, so long as the choices made reduce or mitigate discovered areas of high risk.

NIS Directive and GDPR ensure Data Protection remains compliant after May 2018

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts