EU NIS Directive in a Nutshell
The European Union (EU) achieved a significant milestone in Dec 2015 by reaching agreement on Network Information Security (NIS) Directive. The NIS directive’s primary goal is to contain the cyber security threats and have a uniform and coordinated approach across EU member states. First and foremost, the proposal requires all the Member States to set up Computer Emergency Response Teams (CERTs) for adopting national NIS strategies and national NIS cooperation plans.
The new cyber security laws agreed upon by EU lawmakers will impose stringent information security requirements on “operators of essential services” with special treatment for digital service providers. The NIS directive expands the scope of operators of essential services to include energy, transport, financial services, healthcare and other critical industry segments. The essential operators are required to cooperate and exchange information related to threats and incidents via trusted communication channels. The European General Data Protection Regulation included as part of the NIS directive provides the frameworks and guidance on the changes needed for information security to be compliant. The European General Data Protection Regulation also defines the criteria for reporting data breaches.
Having been in the cyber security space for more than a decade, we have seen our fair share of regulations aimed at protecting against cyber threats. The private sector, especially banking, financial and e-commerce blaze the trail in cyber defense strategy and implementation. When we look into our customer base, financial services/banking have implemented most of what the EU NIS directive emphasizes. Establishing information and network security teams, staffing incident response teams, having well-defined processes for coordinated breach reporting involving the board and executive team, and performing regular audits have been the norm for enterprises in the payment processing arena. Sharing threat intelligence data is also on the rise.
The big impact we see from the EU NIS directive is the policy on data breaches. We believe this change will lead to more reports of data breaches. When a data breach occurs, the burden is on the affected firm to show which records were compromised or leaked. For example, the European General Data Protection Regulation for communications companies explicitly states “The subscribers must be informed where possible damage to them is the consequence of a data breach.” If an enterprise can’t identify what records were breached, one must assume that all records were breached and prepare for higher penalties.
Timeline for EU NIS Directives
The EU understands that the member states will need time to implement NIS directive before they are held accountable with penalties. The current proposal requires member states to adopt the NIS Strategies right away and quickly establish national computer security incident response teams (CSIRT). The deadline for completing implementation the directives is 21 months from Dec 2015. Essential operators burdened with higher levels of security requirements get another six months once the member states issue notifications. NIS enables member states to empower the necessary authorities to perform audits, investigate cases of non-compliance and impose proportionate penalties.
The NIS directives are very aggressive and will be going through some amendments as the member states and all affected parties pore through the laws. While the goals are clearly laid out, the implementation plans need a lot more clarity. All of the member states have to agree on the implementation, and there is no mention of how to ensure consistency. Some member states like Germany and UK are ahead of the pack and have the policies and procedures in place while several of them are lagging behind.