Network and information systems provide the backbone in supporting essential services within today’s society, such as the provision of healthcare, transportation systems, supply of water and electricity. The continuity of these services in a secure and reliable manner is vital to day-to-day activities.
What is it?
The NIS Directive is a European Union (EU) wide legislation on cyber security. On the 10th May 2018 the UK transposed the NIS directive into UK legislation as The Network and Information Systems Regulations 2018 (NIS Regulations).
ERS NIS consultancy and gap analysis service assesses your current level of compliance against the requirements of the Network and Information Systems Regulations 2018 (NIS Regulations) and helps identify and prioritise the key areas that must be addressed to achieve full compliance.
Key features of this service
- Gap Analysis of the NIS directive controls
- NIS Risk Assessment and Risk Management
- Internal Audit
- Document Creation and Review
- Security Awareness Training
- Project Management
- Control Implementation
- Practical advice, working in line with budgets and organisational needs
- NIS Directive Consultancy
- Achieve compliance and satisfy contractual requirements
- Reduces overall organisational and security risks
- Tailored to your needs and business requirements
- Fixed price consultancy project cost
- Improves overall cyber resilience and cyber security
- Minimal disruption to the business operations
- Qualified Consultants (CISSP, ISO27001, Lead Auditors, Security cleared etc.)
- Analysis of current state and overall maturity of NIS compliance
- Provides assurance to prospective clients, investors or board of directors
Whom does it apply to?
The NIS applies to two types of entities or organisations within the EU:
- Operators of Essential Services (OES) – these are organisations established in the EU
- Digital Service Providers (DSPs) – these are organisations which offer services to anyone within the EU.
In summary, the NIS require OES and DSPs to:
- Take appropriate organisational measures and technical controls to secure their network and information systems;
- Take into account the latest developments and trends to consider the potential risks facing the systems;
- Take appropriate measures to prevent and minimise the impact of security events or incidents to ensure continuity of services; and
- Notify the relevant authority of any significant security incident without undue delay.
Note 1: Certain DSPs such as small or micro businesses are exempt from the regulation (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million)
Note 2: The NIS Regulation comes into effect before the UK leaves the EU, and the UK government has confirmed that the Regulation will apply irrespective of Brexit.
In the UK, competent authorities are appointed for each sector within the UK. They are responsible for enforcing the requirements of the law and providing guidance in relation to compliance.
The OESs will be audited by their appointed Competent Authority to ensure they are compliant with the NIS, or the very least, working towards compliance.
Consequences of non-compliance
Organisational within the EU member states are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented.
Within the UK, organisations that are in any breach or non-compliance may be fined up to £17 million. The level of fine will vary between various sectors and is will be assessed by the competent authority.
How we can help?
ERS Consultancy provides a range of services to help you better understand the NIS and help your organisation on its NIS compliance journey. Our services include, but are not limited to:
- NIS guidance and training on the NIS directive/regulation
- NIS Gap Analysis and Compliance Requirements
- NIS Consultancy and Support Services
Get in touch with us for more information on the NIS and how our experts can help you prepare for compliance.