Everything you need to know about the NIS Directive

Everything you need to know about NIS Directive, security of network and information systems

Hot on the heels of The GDPR (General Data Protection Regulation), yet enforced just fifteen days before, the directive on security of network and information systems (NIS) has been created to achieve a high, common level of network and information systems security across the European Union.

Who does the NIS Directive apply to?

There are two categories of organisation which the NIS has targeted:

  • – Operators of Essential Services (OES) – that are established in the EU.
  • – Digital Service Providers (DSPs) – that offer services to persons within the EU1.

These have been chosen because of their criticality to everyday life and because of their heightened level as a target to cyber attackers.

Note: DSP’s who are smaller than 50 employees or have an annual turnover of less than €10 million are obliged to follow the NIS directive.

[You may also be interested to read “4 NIS Directive Services VAR’s can provide to their Customers“]


What is an Operator of Essential Services (OES)?

Operators of Essential Services (OES)
include utility providers and other critical infrastructure providers who have a heavy reliance on information technology and connectivity to the internet. Our daily reliance on their availability has made them targets of both cyber attackers who wish to exploit them, and regulators who wish to keep them online.

Examples of OES’ include:

  • – Power and electricity companies.
  • – Transportation companies e.g train and bus operators.
  • – Healthcare organisations.
  • – Water and gas companies.
  • – Internet service providers and telecommunication companies.


What are the NIS Directive Requirements for an OES?

As this is a directive, discrepancies between member states based on interpretation or requirement can exist. In the case of an OES, the UK government has published a list of 14 security principles which must be adhered to:

Objective A – Managing security risk:

  • A.1 Governance
  • A.2 Risk management
  • A.3 Asset management
  • A.4 Supply chain

Objective B – Protecting against cyber attack:

  • B.1 Service protection policies and procedures
  • B.2 Identity and access control
  • B.3 Data security
  • B.4 System security
  • B.5 Resilient networks and systems
  • B.6 Staff awareness and training

Objective C – Detecting cyber security events:

  • C.1 Security monitoring
  • C.2 Anomaly detection

Objective D – Minimising the impact of cyber security incidents:

  • D.1 Response and recovery planning
  • D.2 Improvements

Satisfactory adherence to these 14 security principles will be monitored and evaluated via audits carried out by designated competent authorities in the UK; or other member state.


What is a Digital Service Provider (DSP)?

Digital Service Provider (DSP) is defined by the directive as being “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. Examples include:

  • – Search engines such as Google.
  • – Cloud hosting providers such as AWS and Microsoft Azure.
  • – Online marketplaces such as Amazon or eBay.

In the UK, DSP’s have to register with the Information Commissioner’s Office if they are offering services into the UK, even if they are not established there, as they must for all EU member states in which they offer services.


What are the NIS Directive Requirements for a DSP?

DSP’s are required to ensure a baseline level of security which is appropriate to the risks inherent in offering their service or services. This is expected to include:

  • – The security of their systems and facilities e.g firewalls, anti-virus software and patching.
  • – Incident handling and response planning.
  • – Business continuity and backup management.
  • – System and network monitoring, auditing and logging.
  • – Testing and vulnerability assessment.
  • – Compliance with international standards such as ISO 27001.

The directive gives some freedom in choice to DSP’s to “take technical and organisational measures they consider appropriate and proportionate to manage the risks”, so long as the choices made reduce or mitigate discovered areas of high risk.