NIS – another EU Directive to follow - it's an attempt to provide a more secure IT platform for everyone

Written By:
Content Copyright © 2018 Bloor. All Rights Reserved.
Also posted on: The Norfolk Punt

While you are all (I hope) thinking about GDPR, just a brief heads-up on another EU initiative that will also still be important post-Brexit. The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

The NIS Directive has nothing to do with GDPR directly, but there are some similarities with it and GDPR compliance may help you with NIS compliance. It comes in on the 9th May, 2018, before the UK leaves the EU, but the UK is committed to following it post-Brexit.

It is a Directive, not a Regulation, which means that, although it must still be followed, it needs to be written into the law of each member state. It has a different scope to GDPR. It applies to Operators of Essential Services (OES) in the EU; and Digital Service Providers (DSP) that offer services to persons within the EU (but not to “small” DSPs; and micro businesses with fewer than 50 people, and annual turnover less than €10 million). The maximum fine for non-compliance in the UK seems to be “only” £17million.

It is about:

  • Having appropriate technical and organisational measures to secure network and information systems;
  • Considering the potential risks facing the systems;
  • Having appropriate measures to prevent and minimise the impact of security incidents and to ensure service continuity; and
  • Notifying the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.

All good stuff, and it goes beyond mere “cyber security” to include service delivery, but I don’t think it should be confused with GDPR and the security of personal data. On the other hand, it is very appropriate to IT and Network Service Management, as it is all about providing the sort of reliable and trustworthy infrastructure needed by the Mutable Business.

There’s a UK-oriented Compliance Guide here. But remember that It also applies to service providers that do business in the EU but are not based in the EU. The EU documentation on NIS is available here, and should be read in conjunction with any UK-specific guidance. In Paragraph 65, the EU documentation covers the case of “a digital service provider not established in the Union [which] offers services within the Union” and the designation of a representative in the EU, in some detail.