May 9th marked the deadline for EU member states to be fully compliant with the NIS Directive, a new piece of EU-wide legislation that requires operators of essential services (OES) that are established in the EU as well as digital service providers (DSPs) to improve their cyber security measures in response to the associated risks. While Brexit may be a matter of months away, the government has already confirmed the UK’s requirement to comply with the NIS Directive irrespective of our imminent EU exit.
Now in full force, the Directive requires OES and DSPs to take “appropriate and proportionate” action to enhance our nationwide security profile and mitigate the risk of costly and damaging attacks to our organisations. While it may not have received as much widespread publicity as the GDPR, the NIS Directive applies to a plethora of key industries: energy, transport, health, water and digital infrastructure companies as well as search engines, cloud computing service providers and online marketplaces.
Official guidance advises both OES and DSPs to take certain steps in ensuring compliance, such as implementing an effective security incident response process as well as technical and organisational security measures. However, if they are to stay one step ahead, organisations in either category must keep abreast with the latest developments or trends in cyber crime and regularly revise their defence strategies accordingly.
While the NIS Directive states that the responsibility to determine penalties for non-compliance lies with the individual Member States and not the EU, it does clarify that penalties must be “effective, proportionate, and dissuasive.” Further, organisations that fail to comply with the new NIS Directive are now subject to reactive ex-post supervisory activities by NCAs. Of course, considering the unprecedented pace at which the cyber-threat landscape is evolving, compliance with the Directive is not only critical in avoiding financial penalties but also strengthening our security profile.
“The NIS Directive is the first piece of EU-wide legislation on cyber security. It provides legal measures to boost the overall level of cyber security in the EU.”