On the 19th of July, the much discussed and anticipated Network and Information Security (NIS) Directive was published in the Official Journal of the EU. The Directive was developed to ensure that societies’ dependencies on technology undertake relevant cybersecurity activities to ensure resilience and confidence as we become ever more digitally dependent.
The most important aspect is when this comes into force, which is the 8th of August 2016. However, it is not immediately applicable: each member state then has a period in which to take the Directive and turn it into national legislation—that must be completed by the 10th of May 2018. It effectively then becomes live the following day.
As such, by the 11th of May 2018, you will need to be compliant if the Directive applies to your organisation; however, you should note that, although countries have until the 10th of May, they may choose to bring into force their own laws or regulations earlier, so now is the time to start engaging at your country levels to validate their planned timelines.
So what should be the next steps for any business’ cybersecurity team, now that the implementation timeline is defined and the Directive issued is final? Here are my suggestions:
1. Does it apply to your organisation? From research we are conducting with IDC, it is clear there is confusion. The Directive covers two distinct categories of entities:
- Operators of Essential Services – a public or private entity that “provides a service which is essential for the maintenance of critical societal and economic activities; depends on network and information systems; and where an incident to the network and information systems of that service would have significant disruptive effects on its provision.”
Action 1: Although the Directive lists industry sectors and sub-sectors considered operators of essential services, each Nation has the requirement to identify which organisations in its territories will be included, so you will need to validate with your relevant national authority if your company is included.
Just because an industry sector is not listed as an “essential service” in the Directive, that does not mean it is not subject to security requirements in the EU. The Directive recognizes that some sectors already are subject to sector-specific EU requirements for security that are either in-line with or potentially higher than those defined in the Directive. (Among other things, the Directive requires covered organisations to take measures that have regard to the “state of the art”.)
Action 2: Validate if your industry sector has been identified as already being effectively exempt due to existing legislative or compliance requirements meeting/exceeding the Directive’s objectives.
- Digital Service Providers (online marketplaces, online search engines, and cloud service providers) – these companies also have security and incident notification requirements, although they are less stringent than for essential service operators. Further, for digital service providers, requirements do not apply to “micro” or “small” enterprises as defined by EU law.
Action 3: Member states will not further define digital service providers, so the definition in the Directive is set. As such you should be able to determine immediately if it applies to you.
Action 4: The security and incident notification requirements for digital service providers will be developed by the European Commission. If you believe you are covered, there is the opportunity to influence the requirements. As a first step, there is currently a survey being conducted by ENISA on the incident reporting scope (responses are due at the end of July 2016).
More information can be found here.
2. What should you do next? The Directive states that both operators of essential services and digital service providers must take cybersecurity measures with regard to state of the art and also has requirements to notify relevant national authorities of cyber incidents.
Action 5: Now that the scope and timelines are defined, for those businesses that the Directive applies to, the next natural step is to start to complete the gap analysis.
- How near to or far from the requirements are you?
Security and incident notification requirements:
Operators of Essential Services (from Article 14)
“Member States shall ensure that operators of essential services take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed.”
“Operators must notify, without undue delay, to the competent authority or CSIRT incidents having a significant impact on the continuity of the essential services they provide.”
Digital Service Providers (from Article 16)
“Member States shall ensure that providers “identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering [online marketplace, online search engine, cloud computing services] within the Union.”
“Digital service providers must notify, without undue delay, to the competent authority or CSIRT any incident having a substantial impact on the provision of a service [search, online marketplaces, cloud] that they offer within the EU.”
- What will be your strategy where you are required to become compliant?
- Do you have budget assigned and the appropriate business support to achieve this?
- How will you ensure you can validate and maintain the state of the art?
3. How do you leverage the resources that will be available to you? Each nation will be required to have a CSIRT, and the CSIRTs are encouraged to share among each other non-confidential information on cyber incidents and associated risks. These potentially will be able to provide great insight on what and where some of the key cyber risks are relevant to the businesses covered by the Directive. Likewise they should provide access to skilled resources that may be able to assist in the definition, testing and during incident response cycles.
Action 5: Do you know the CSIRT or competent national authority to which you may need to notify incidents? (Some CSIRTS/authorities may already exist; in other cases, member states will be establishing them.) How are you connected into them?
Action 6: Do you have an incident response strategy today. If not, how are you preparing for the requirement?
- How are you leveraging the skills, knowledge and resources that may be able to help you define, validate or support you during an incident?
It may seem like 2018 is a long way out yet, but 2017 is effectively the year I would consider in which businesses need to achieve the Directive’s requirements. The remainder of 2018 should be kept to validate and test your businesses capabilities, be they achieving state of the art or testing your incident response and notification capabilities.
Being part of the infrastructure and digital services that are deemed at core to society can seem like a great responsibility; however, with that comes support from national entities and their trusted providers. For some organisations this may be welcome relief, as they need to increase their capabilities; for others, it may require very little change at all.
What is key for every business is to understand if the new Directive applies to them and then work with the national entities and their trusted providers to use the time allocated to understand the requirements, complete the gap analysis, and use the coming period so that their cybersecurity capabilities have the required regard for the state of the art in place by the May 2018 deadline.
[Palo Alto Networks Research Center]