In this Q&A, Danielle Kriz, senior director of Global Policy, and Fred Streefland, senior manager of Product Marketing for EMEA, cover the basics of the EU’s Network and Information Security Directive and what it might mean for organizations.
Fred: Let’s talk about a new cybersecurity law in the European Union, the Network and Information Security (NIS) Directive. What is it, who does it apply to, and what do they need to do?
Danielle: It’s the EU’s first law specifically focused on cybersecurity, which I blogged about in May. Through transposition into national laws, it applies in all 28 EU member states.
The NIS Directive aims to improve the cybersecurity capabilities of the EU’s critical infrastructure by setting security and incident notification obligations across many types of organizations offering essential and digital services. The NIS Directive also requires member states to enact national cybersecurity strategies and engage in EU cross-border cooperation, among other measures.
The requirements on industry outlined in the NIS Directive are applicable to two categories of entities: operators of essential services and digital service providers. Although the directive outlines generally what is in these categories, each member state is responsible for identifying the OES established in their territories that are in scope.
- Operator of Essential Services (OES): Sectors covered include energy (e.g., electricity, oil and gas companies), transportation (including air, rail, water and roads), healthcare (like hospitals and clinics), certain banking and finance (such as credit) institutions, suppliers and distributors of drinking water, and digital infrastructure (like internet exchange points).
- Digital Service Provider (DSP): There are three categories: online marketplaces, online search engines and cloud computing services. The Directive has some small company exceptions for DSPs.
The directive sets security and incident notification obligations on these organizations. They must:
- Take appropriate and proportionate technical and organizational measures to manage risks to the security of their network and information systems, and these measures must “have regard to the state of the art.”
- Take appropriate measures to prevent incidents affecting the security of their network and information systems.
- Notify competent national authorities of security incidents of particular magnitudes.
These requirements are related to the networks and information systems used to provide the covered essential or digital services. The requirements also apply whether the OES or DSP manages its own network and information systems or outsources them.
The EU’s Agency for Network and Information Security (ENISA) has details on the directive.
Fred: How is the NIS Directive rolling out?
Danielle: The NIS Directive sets out objectives and policies to be attained through legislation at an EU member state level. All 28 EU countries were required to put the directive into national law by May 2018 (although the reality is that as of August 2018, some still were behind).
The impact will vary based on how each country previously regulated companies for cybersecurity. Some member states will make big changes and introduce new laws. Other member states might have existing laws into which they will need to integrate NIS requirements.
ENISA has issued non-binding guidelines for NIS so companies may want to look there. But many member states are expected to issue their own requirements. The European Commission has published a useful “state-of-play” of member states’ implementation of the NIS Directive.
Fred: Do non-EU headquartered companies need to worry about NIS?
Danielle: Yes, if they offer any of the covered essential or digital services in one or more EU countries. Regardless of whether a company is headquartered in the EU or not, companies covered under NIS must follow the law in the EU country where they have their main establishment. In fact, even companies providing digital services in the EU with no physical presence in the EU at all may be affected by the NIS Directive.
Therefore, we recommend that organizations operating in EU countries should do research and obtain legal advice on whether NIS applies to them and the exact details of what they must do.
Danielle: Now, let me ask you some questions, Fred. Assuming you are responsible for the security of an organization that needs to comply with the EU Network and Information Security Directive, what does this mean to you and the organization? As a former CISO, what would you do and how would you approach this?
Fred: Every operator of essential services or digital service provider in the EU needs to comply with this NIS Directive (with some small company DSP exceptions). You mentioned the requirements: they need to take measures that have regard to state-of-the-art technologies to manage the risks of their network and information systems. They must take appropriate security measures to prevent and minimize the impact of security incidents. Besides this, they also have the obligation to report security incidents of a certain magnitude to their national authority.
As a responsible person for information security, you need to become “in control” of the risks of your network and information systems. So, I would focus on what matters and start with getting visibility into the security of your network and information systems.
This means understanding:
– Which networks and information systems support the covered services and how they are currently secured.
– Whether the products and services you use to protect those networks/systems account for the state of the art.
– What measures you are taking to prevent and minimize the impact of incidents on those networks and systems.
– If you are able to track and identify the impact of incidents that may occur so that you are able to notify authorities as needed.
I also recommend reading a recent blog by Greg Day, our CSO for EMEA, that explains how CISOs can view the NIS Directive as a positive opportunity for change.
Danielle: Again, from the CISO perspective, what is the final takeaway you’d like to share?
Fred: It is imperative to get proper visibility into your networks, information systems and data. In my opinion, that’s a prerequisite for effective security and compliance.
Palo Alto Networks is committed to assisting our customers on their road towards NIS Directive compliance. If you want to know how we can help, please attend our upcoming EU NISD webinar.
For more information on the NIS Directive, download our paper What Is the NIS Directive?
The information provided in this blog, concerning technical legal or professional subject matters, is for general awareness only, may be subject to change, and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws. Always consult a qualified lawyer on any specific legal problem or matter.
[Palo Alto Networks Research Center]