Network and information systems provide the backbone in supporting essential services within today’s society, such as the provision of healthcare, transportation systems,
The European Union (EU) has introduced the Network and Information Systems (NIS) directive to raise levels of the overall security and resilience of network and information systems across its member states.
The focus of the directive is to ensure the protection the EU’s critical infrastructure and thereby ensuring service security, continuity and reliability.
What is it?
The NIS Directive is a European Union (EU) wide legislation on cyber security.
On the 10th May 2018 the UK transposed the NIS directive into UK legislation as The Network and Information Systems Regulations 2018 (NIS Regulations).
Whom does it apply to
The NIS applies to two types of entities or organisations within the EU:
- Operators of Essential Services (OES) – these are organisations established in the EU
- Digital Service Providers (DSPs) – these are organisations which offer services to anyone within the EU.
In summary, the NIS require OES and DSPs to:
- Take appropriate organisational measures and technical controls to secure their network and information systems;
- Take into account the latest developments and trends to consider the potential risks facing the systems;
- Take appropriate measures to prevent and minimise the impact of security events or incidents to ensure continuity of services; and
- Notify the relevant authority of any significant security incident without undue delay.
Note 1: Certain DSPs such as small or micro businesses are exempt from the regulation (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million)
Note 2: The NIS Regulation comes into effect before the UK leaves the EU, and the UK government has confirmed that the Regulation will apply irrespective of Brexit.
In the UK, competent authorities are appointed for each sector within the UK. They are responsible for enforcing the requirements of the law and providing guidance in relation to compliance.
The OESs will be audited by their appointed Competent Authority to ensure they are compliant with the NIS, or the very least, working towards compliance.
Consequences of non-compliance
Organisational within the EU member states are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented.
Within the UK, organisations that are in any breach or non-compliance may be fined up to £17 million. The level of fine will vary between various sectors and is will be assessed by the competent authority.
How we can help
ERS Consultancy provides a range of services to help you better understand the NIS and help your organisation on its NIS compliance journey. Our services include, but are not limited to:
- NIS guidance and training on the NIS directive/regulation
- NIS Gap Analysis and Compliance Requirements
- NIS Consultancy and Support Services
Get in touch with us for more information on the NIS and how our experts can help you prepare for compliance.