What is the NIS Directive?
As part of the EU cybersecurity strategy, the European Commission first proposed the EU Network and Information Security (NIS) Directive in 2016, which was the first piece of EU-wide cybersecurity legislation. The Directive became enforceable as of May 9, 2018, and every EU member state must adopt national legislation, which follows or ‘transposes’ the directive. EU directives give member states the flexibility to consider national circumstances, including the ability to reuse existing organizational structures or to align with existing national legislation. The aim of the Directive is to create stronger cybersecurity levels in European nations.
The NIS Directive has three main parts:
- National capabilities: EU member states must have certain national cybersecurity capabilities in their individual EU countries, (e.g. they must have a national CSIRT, perform cyber exercises, etc.)
- Cross-border collaboration: Cross-border collaboration between EU countries (e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.)
- National supervision of critical sectors: EU member states must supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector), ex-post supervision for critical digital service providers (online marketplaces, cloud and online search engines).
In December 2020, the European Union Agency for Cybersecurity (ENISA) published a report on investments made from a NIS perspective. ENISA surveyed 251 organizations across five EU member states (France, Germany, Italy, Spain and Poland) and concluded that the level of adoption of the NIS Directive was 70.6% in Germany, 66.7% in France, 64% in Italy, 48% in Spain and 42.9% in Poland.
Applicability and penalties under the NIS Directive
The Directive applies to digital service providers (DSPs) and operators of essential services (OESs) that have operations in EU member states. DSPs include entities providing digital services, such as search engines, online marketplaces and cloud computing services. OSPs include any organizations that engage in critical societal or economic activities whose operations would be greatly affected in the case of a cybersecurity breach. This includes sectors like energy and power operators, transportation providers, food and water suppliers. Under the NIS Directive, each EU member state must compile a list of organizations that they deem to be essential service providers.
Both DSPs and OESs are held accountable for reporting major security incidents to computer security incident response teams (CSIRTs), even if they outsource the maintenance of their information systems to third parties. The NIS Directive states that penalties for non-compliance must be “effective, proportionate and dissuasive.” However, individual member atates, not the EU, ultimately determine the specific penalties for non-compliance. In the UK for example, organizations who fail to implement effective cybersecurity measures could be fined as much as £17 million or 4% of global turnover.
Best practices for NIS Directive compliance
The NIS Directive security requirements include specific technical measures that manage the risks of cybersecurity breaches in a preventative manner. One of the best examples of how to apply these technical controls is the Cyber Assessment Framework (CAF) guidance put out in 2018 by the UK’s National Cyber Security Centre (NCSC). It focuses on specific indicators of good practice under the NIS Directive, including these four objectives and 14 principles:
- Managing security risk: Organizations must ensure that the appropriate structures, policies and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions.The principles under this objective include:
- Governance–ensure that the appropriate management policies and processes are in place to govern the security of network and information systems.
- Risk management–organizations must identify, assess and understand cybersecurity risks to the network and information systems supporting the operation of essential functions.
- Asset management–everything required to deliver, maintain or support the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure.
- Supply chain–the organization understands and manages security risks to the operation of essential functions that arise as a result of dependencies on external suppliers, including ensuring that appropriate measures are employed where third party services are used.
- Protecting against cyberattacks: Organizations must ensure that proportionate security measures are in place to protect the network and information systems supporting essential functions from cyberattack.The Principles under this Objective include:
- Service protection and policies–an organization must define, implement, communicate and enforce appropriate policies and processes that direct its overall approach to securing systems and data that support the operation of essential functions.
- Identity and access control–the organization understands, documents and manages access to networks and information systems and supporting the operation of essential functions. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorized.
- Data security–data stored or transmitted electronically must be protected from actions such as unauthorized access, modification or deletion that may cause an adverse impact on essential functions.
- System security–systems critical to the operation of essential functions must be protected from cyberattack, using robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.
- Resilient networks and systems–an organization must build resilience against cyberattack into the design, implementation, operation and management of systems that support the operation of essential functions.
- Staff awareness and training–staff have appropriate awareness, knowledge and skills to carry out their organizational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.
- Detecting cybersecurity incidents: Organizations must ensure that security defenses can detect cybersecurity events affecting, or with the potential to affect, essential functions.The Principles under this Objective include:
- Security monitoring–organizations should monitor the security status of the networks and systems supporting the essential functions to detect potential security problems and track the ongoing effectiveness of protective security measures.
- Proactive security and event discovery–the organization detects, within networks and information systems, malicious activity affecting or with the potential to affect, the operation of essential functions even when the activity evades standard signature-based security prevent/detect solutions (or when standard solutions are not deployable).
- Minimizing impact of security incidents: Organizations must ensure that they can minimize the adverse impact of a cybersecurity incident on the operation of essential functions, including the restoration of those functions where necessary.The Principles under this Objective include:
- Response and recovery planning–organizations must have well-defined and tested incident management processes in place, that aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise should also be in place.
- Lessons learned–when an incident occurs, an organization must take steps to understand its root causes and ensure appropriate remediating action is taken.
Complying with the NIS Directive in operational technology (OT) Systems
Meeting the requirements of the NIS Directive can be an extremely difficult and time-consuming task. Ideally, operators of essential services should automate as many of the technical cybersecurity controls as possible to ensure they are achieving their security goals and also have quick access to accurate information for NIS Directive compliance reporting purposes. If an OES relies heavily on OT for business operations, such as an energy company or transportation provider, choose a cybersecurity solution that is purpose-built for these environments. To implement NIS Directive cybersecurity controls effectively, a technology partner is needed that can build a layered approach. A strong OT asset management program is an essential base level, enabling an organization to implement proper change control, vulnerability and patch management and ultimately robust corporate compliance and reporting.