A Guide to NIS Directive Compliance

What Is the NIS Directive?

As part of the EU cybersecurity strategy, the European Commission first proposed the EU Network and Information Security (NIS) Directive in 2016, which was the first piece of EU-wide cybersecurity legislation. The Directive became enforceable as of 9 May 2018, and every EU Member State must adopt national legislation, which follows or ‘transposes’ the directive. EU directives give Member States the flexibility to consider national circumstances, including the ability to re-use existing organisational structures or to align with existing national legislation. The aim of the Directive is to create stronger cybersecurity levels in European nations.

The NIS Directive has three main parts:

1. National capabilities: EU Member States must have certain national cybersecurity capabilities in their individual EU countries, (e.g. they must have a national CSIRT, perform cyber exercises, etc.)
2. Cross-border collaboration: Cross-border collaboration between EU countries (e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.)
3. National supervision of critical sectors: EU Member states must supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector), ex-post supervision for critical digital service providers (online marketplaces, cloud and online search engines).

In December 2020, the European Union Agency for Cybersecurity (ENISA) published a report on investments made from a NIS perspective. ENISA surveyed 251 organisations across five EU Member States (France, Germany, Italy, Spain and Poland) and concluded that the level of adoption of the NIS Directive was 70.6% in Germany, 66.7% in France, 64% in Italy, 48% in Spain, and 42.9% in Poland.

Applicability & Penalties Under the NIS Directive

The Directive applies to digital service providers (DSPs) and operators of essential services (OESs) that have operations in EU Member States. DSPs include entities providing digital services, such as search engines, online marketplaces and cloud computing services. OSPs include any organisations that engage in critical societal or economic activities whose operations would be greatly affected in the case of a cybersecurity breach. This includes sectors like energy and power operators, transportation providers and food and water suppliers. Under the NIS Directive, each EU Member State must compile a list of organisations that they deem to be essential service providers.

Both DSPs and OESs are held accountable for reporting major security incidents to Computer Security Incident Response Teams (CSIRTs), even if they outsource the maintenance of their information systems to third parties. The NIS Directive states that penalties for non-compliance must be “effective, proportionate, and dissuasive.” However, individual Member States, not the EU, ultimately determine the specific penalties for non-compliance. In the UK for example, organisations who fail to implement effective cybersecurity measures could be fined as much as £17 million or 4% of global turnover.

Best Practices for NIS Directive Compliance

The NIS Directive security requirements include specific technical measures that manage the risks of cybersecurity breaches in a preventative manner. One of the best examples of how to apply these technical controls is the Cyber Assessment Framework (CAF) guidance put out in 2018 by the UK’s National Cyber Security Centre (NCSC). It focuses on specific indicators of good practice under the NIS Directive, including these four Objectives and 14 Principles:

1. Managing Security Risk: Organisations must ensure that the appropriate structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions.
   The Principles under this Objective include:
2. Governance- Ensure that the appropriate management policies and processes are in place to govern the security of network and information systems.
3. Risk Management- Organisations must identify, assess and understand cybersecurity risks to the network and information systems supporting the operation of essential functions.
4. Asset Management- Everything required to deliver, maintain or support the operation of essential functions is determined and understood. This includes data, people and systems, as well as any supporting infrastructure.
5. Supply Chain- The organisation understands and manages security risks to the operation of essential functions that arise as a result of dependencies on external suppliers, including ensuring that appropriate measures are employed where third party services are used.
6. Protecting Against Cyber Attacks: Organisations must ensure that proportionate security measures are in place to protect the network and information systems supporting essential functions from cyberattack.
   The Principles under this Objective include:
7. Service Protection & Policies- An organisation must define, implement, communicate and enforce appropriate policies and processes that direct its overall approach to securing systems and data that support the operation of essential functions.
8. Identity & Access Control- The organisation understands, documents and manages access to networks and information systems and supporting the operation of essential functions. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.
9. Data Security- Data stored or transmitted electronically must be protected from actions such as unauthorised access, modification or deletion that may cause an adverse impact on essential functions.
10. System Security- Systems critical to the operation of essential functions must be protected from cyberattack, using robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.
11. Resilient Networks & Systems- An organisation must build resilience against cyberattack into the design, implementation, operation and management of systems that support the operation of essential functions.
12. Staff Awareness & Training- Staff have appropriate awareness, knowledge and skills to carry out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions.
13. Detecting Cybersecurity Incidents: Organisations must ensure that security defences can detect cybersecurity events affecting, or with the potential to affect, essential functions.
    The Principles under this Objective include:
14. Security Monitoring- Organisations should monitor the security status of the networks and systems supporting the essential functions to detect potential security problems and track the ongoing effectiveness of protective security measures.
15. Proactive Security & Event Discovery- The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature-based security prevent/detect solutions (or when standard solutions are not deployable).
16. Minimising Impact of Security Incidents: Organisations must ensure that they can minimise the adverse impact of a cybersecurity incident on the operation of essential functions, including the restoration of those functions where necessary.
    The Principles under this Objective include:
17. Response & Recovery Planning- Organisations must have well-defined and tested incident management processes in place, that aim to ensure continuity of essential functions in the event of system or service failure. Mitigation activities designed to contain or limit the impact of compromise should also be in place.
18. Lessons Learned- When an incident occurs, an organisation must take steps to understand its root causes and ensure appropriate remediating action is taken.

Complying with the NIS Directive in Operational Technology (OT) Systems

Meeting the requirements of the NIS Directive can be an extremely difficult and time-consuming task. Ideally, operators of essential services should automate as many of the technical cybersecurity controls as possible to ensure they are achieving their security goals and also have quick access to accurate information for NIS Directive compliance reporting purposes. If you are an OES that relies heavily on OT for your business operations, such as an energy company or transportation provider, choose a cybersecurity solution that is purpose-built for these environments. To implement NIS Directive cybersecurity controls effectively, you need to choose a technology partner that can build a layered approach. A strong OT asset management program is an essential base level, enabling your organization to implement proper change control, vulnerability and patch management, and ultimately robust corporate compliance and reporting.

To learn more about the NIS Directive indicators of good practice and tips for applying them in OT systems, download our NIS Directive implementation guide.