Carbon Accounting Management Platform Benchmark…
Essential Service Operators and Digital Service Providers are now required to ensure that they conform with the EU's Network and Information Systems Security (NIS) directive. Here we take a look at the implications of this directive on their activities.
Reliance on ICT is ever increasing; cyberattacks can impede economic activity and cause major damage to the economy of the European Union. The existing capabilities are not sufficient to ensure a high level of security of network and information systems within the Union. Therefore, on July 6th 2016, the first piece of EU-wide legislation on cybersecurity was adopted: the NIS Directive.
The main objective of the NIS Directive is to achieve a high level of security for network and information systems (NIS) across the European Union, in order to improve the functioning of the internal market. To reach that level of security, the directive lays down a series of obligations for EU member states, but also for any company considered an operator of essential services (OSE) or a digital service provider (DSP).
OSEs can be either private businesses or public entities that provide services considered essential for the maintenance of critical societal and/or economic activities. OSEs fall under the NIS directive if the provision of their essential service(s) relies on network and information systems and if a security incident could disrupt the provision of the essential service.
Operators of essential services are designated as such by national authorities and shall be notified of this designation. Each member states establishes a list of OSEs that are active in one of the sectors listed in the figure below. This list shall be maintained and updated on a regular basis. Each change must be notified to impacted organizations.
Energy (Electricity, Gas, Oil) | Production, transmission, distribution, storage, supply |
Transport (Air, Rail, Water, Road) | Air carriers, airport management, infrastructure management, railway undertakings, passenger and freight water transport, port management, road authorities |
Health Sector (Health Care Settings) | Hospitals, clinics, healthcare providers |
Drinking Water | Supply and distribution of water intended for human consumtion |
Digital Infrastructure | IXPs, DNS service Provider,s TLD name registries |
Financial Market Infrastructures | Operators of trading venues, centrals counterparties |
Banking | Credit institutions |
Operators of essential services have to make sure appropriate security measures are taken to guarantee the resilience of their essential operations. Those measures should of course ensure a high level of security of network and information system, but also include plans to mitigate risks and handle incidents so that the impact on activities is minimized.
In addition to security measures, the NIS directive specifies that OSEs have to report any incident impacting their network and information systems supporting the provision of essential service(s).
Each member state transposes the NIS directive into national law and defines the list Essential Service Operators. Upon designation, ESOs are notified and have to start their journey towards NIS compliance.
Take measures to prevent and minimize the impact of security incidents | Essential services operators must make sure that all measures are in place in order to enable them to predict and prevent any incidents impacting their network and information systems that would disrupt their essential services. If an incident cannot be prevented, everything must be in place to minimize its impact, in order to ensure continuity of services. | ||
Share information with authorities, including their security policy | All ESOs must share with the appointed national authorities any information deemed relevant to ensure the appropriate security measures are adopted. This can include the security policy in place, and in some member states even a description of their network and information systems supporting their essential service activities. | ||
Define and implement an appropriate security policies | A security policy should be adopted, defining both technical and organizational measures. Through the application of this policy, ESO should be able to mitigate risks related to the essential operations they provide. It should also enable the proper level of security and guarantee availability, authenticity, integrity and confidentiality of their systems. | ||
Control security measures | National authorities can request evidence of the effective implementation of security policies from ESOs. This include reports from internal and/or external audits for example. Some member states have taken the decision to make regular audits mandatory for their ESOs. |
As soon as they are designated as such, ESOs must notify authorities of any incident having an impact on the availability, confidentiality, integrity or authenticity of the network and information systems on which their essential operations rely.
Note that companies that qualify as ESOs but have not yet been notified by authorities that they are considered as such can report incidents on a voluntary basis.
In case of non-compliance with the NIS law, companies expose themselves to sanctions. The range of the financial risk implied by these penalties depends on the member state’s transposition of the NIS directive, but should in any case not be overlooked.