Along with EU GDPR the NIS Directive (Directive on security of network and information systems) does not just affect the EU but has impacts for any organization active within the EU regardless of location. It is the first piece of EU-wide cybersecurity legislation which aims to achieve a common level of information system security across the EU
It applies to
- OES (operators of essential services) – such as energy, transport, banking, financial, health sector organizations.
- DSPs (digital service providers) – such as online search engines and marketplaces and cloud computing services.
How does this apply to the US and Canada?
Digital service providers are not tied to a physical location and as such their reach is cross border, so they must comply with the directive. If they have do not have an EU location then the relevant representative needs to be designated in the member state. US based OES is not as likely to happen but if there is an EU location affiliated to the company they need to comply also.
What must OES and DSP do to comply?
- Take appropriate technical and organizational measures to manage risks to networks and information systems
- Notify the correct authorities or regulator about any significant security incident, in a similar manner to the GDPR (General Data Protection Regulation) and California Consumer Privacy Act (CCPA), where incidents are reported without delay no later than 72 hours after being aware of them
- Ensure continuity of their services by having taken the relevant precautionary measures
Achieving compliance
OES and DSP can achieve a higher level of cyber vigilance and gain compliance by following an amalgamated approach. If they implement a protocol which uses strong cybersecurity defenses including a keen cyber threat incident response management system, implement and use the appropriate tools for reporting and effectively dealing with incidents. They can be proactive by employing regular penetration testing to scout out vulnerabilities and adopt best practice standards. For example adopting ISO 27001Information Security Management will help manage information security processes as part of an internationally defined method of best practice. OES and DSP can demonstrate their commitment to achieving compliance through ISO 27035 Information security incident management which covers the processes for managing information security events, incidents and vulnerabilities (it expands on information security incident management section of ISO 27002 Information technology — Security techniques — Code of practice for information security controls). And finally by installing business continuity management systems (BCMS) such as ISO 22301 Societal security – Business continuity management systems – Requirements is another area to consider.
Non-compliance consequences
According to the directive fines must be “effective, proportionate and dissuasive.” The exact amount varies between member states. Even if the member state has not fully implemented the directive the DSP has to comply or incur costs. OES will be audited under the NIS. DSP with their level of risk being smaller than OES will face regular auditing but lower security requirements though not lighter penalties for non-compliance.