Why do you need to know about the NIS Directive?
The Network and Information Security Directive
This blog provides a perspective on the Network and Information Security Directive (NIS), which imposes regulations that providers of critical infrastructure services must adhere to, or be subject to penalties. Whilst businesses have been swept up with the rush of preparing for the EU General Data Protection Regulation (GDPR), there has been an overshadowing of the equally important NIS Directive, which seems to have resulted in a lack of relevant discourse.
By Charlie Maynard, Niek Ijzinga and Dick van Veldhuizen
- Importance NIS Directive
- What does it entail?
- How to prepare?
- Transposition in the Netherlands?
- More information?
Why is the NIS Directive so important?
This is the first EU wide legislation on cybersecurity. It focuses primarily on regulating so called operators of essential services (transport, energy, banking, healthcare) and providers of digital services (cloud services, online marketplaces, and search engines), and will be transposed to national law by May 9th 2018. Some member states are planning to impose severe penalties for failure to adhere to the Directive. In the UK, the government plans to enact penalties for non-compliance of up to £17 million or 4% of a company’s global turnover – aligning penalties with those included in the enforcement of the GDPR. Furthermore, according to a Dutch draft law, fines could reach as much as €5 million. Based on the results of a discourse analysis of 330 cybersecurity documents published by the European Parliament between 2016 and 2017, it is likely that strict penalties will be in place across other EU member states as well.
This is primarily because the NIS Directive is perceived by Members of the European Parliament (MEP) to be critically important as it ensures cybersecurity oversight of systems which are fundamental to the functioning of society. During the aforementioned discourse analysis, the NIS Directive was found to be the most discussed cybersecurity subject in the European Parliament for 2016 and 2017. While the NIS Directive was mentioned on 77 occasions within the context of cybersecurity, the GDPR was mentioned on only 13 occasions. This suggests that the NIS Directive is perceived by MEPs to be of great importance, likely warranting strict penalties across EU member states.
So what does the NIS Directive entail?
Following the transposition of the Directive in May, EU member states will have an additional 6 months to identify which organizations they deem to be operators of essential services and providers of digital services. For these organizations the NIS Directive highlights two primary obligations to ensure the continuity of essential services:
- To take appropriate technical and organizational measures to manage threats to networks and information systems
- To notify ‘without undue delay’ the authorities about any significant security incident
While the NIS Directive is a product of the EU with similarities to the GDPR, there are key differences between the two. Mainly, they originate from different concerns. The NIS Directive is primarily meant for organizations involved in the provision of critical infrastructure services, whereas the GDPR addresses all organizations that process personal data. However, there will be instances of overlap; if a provider of an essential service is hacked, this may mean that their clients personal data has been compromised in addition to the disruption of their service delivery. Consequently, many organizations will have to ensure compliance with the NIS Directive as well as the GDPR.
How can providers of critical infrastructure prepare for the NIS Directive?
As mentioned, the NIS Directive is a directive not a regulation. It is up to each member state to decide how it will be implemented in legislation. Consequently, the transposition of the Directive has not yet been finalized, which makes it difficult for businesses to know exactly how to prepare. What is clear though, is that member states must impose penalties for infringement that are ‘effective, proportionate and dissuasive’. So, regardless of whether or not transpositions have been finalized, measures should be adopted to accommodate the NIS Directive, and remain within the bounds of the law.
This includes ensuring that organizations subject to the Directive have:
- Mature or enhanced threat detection systems
- Mature incident management
- Effective incident reporting mechanisms
And can provide:
- The results of real time incident simulations
- The information necessary for authorities to assess security of network and information systems
- Evidence of effective implementation of security policies
- Results of security audits
How will the NIS Directive be transposed in the Netherlands?
In the Netherlands there has yet to be a finalized transposition of the NIS Directive, however there is a draft law that has been discussed in the parliament and the senate that covers the requirements of the NIS Directive; the ‘Regels ter implementatie van richtlijn (EU) 2016/1148’. Its contents are more or less a repetition of the NIS Directive, but the law also specifies the Dutch authorities to which operators of essential services and providers of digital services must report cybersecurity incidents:
|Ministry of Economic Affairs and Climate||Energy & Digital Infrastructure|
|The Dutch Bank (DNB)||Banking & Infrastructure for the financial market|
|Ministry of Infrastructure and Water Management||Transport & Supply and distribution of drinking water|
|Ministry of Health, wellbeing and sports||Healthcare|
Additionally, this law states that organizations which do not comply with one of the articles in the law will be fined €1 million. If an organization does not comply with two or more of the articles in the law, they will be subject to a fine of €5 million. This suggests that the Dutch Government is prepared for a swift transposition of the NIS Directive.
Deloitte Risk Advisory assists many organizations that maintain national critical infrastructure with managing their risk. As the NIS Directive transposition deadline is May 9th, providers of critical infrastructure will have to prepare their organizations for NIS compliance. Typical preparations for this would include:
- NIS gap assessment
- Construction of NIS roadmap
- NIS transformation
- Validation of NIS compliance
With approximately 4 months until the NIS Directive becomes a formal part of national law, it would be wise to start making considerations now. Download a copy of the NIS Directive above.
Do you want to know more about the NIS Directive? Please contact Charlie Maynard at +31 (0)64 1887907, Niek Ijzinga at +31 (0)88 2885598 or Jelle Niemantsverdriet at +31 (0)88 2882433.