It has been a year since 10th May 2018 when the Network and Information Systems Directive (NISD) was due to have been transposed into law by each of the EU Member States. Whilst this didn’t quite make the same headlines as GDPR (which is also now one year old), it has raised some serious implications for cyber-security. So, one year on, we can take stock of how much progress has already been made.
The NIS Directive required each EU Member State to establish a CSIRT, so that the network of CSIRTs could promote swift and effective operational cooperation on specific cyber-security incidents and share information about risks. Unlike GDPR, which it feels like just about everyone has heard about, the NIS Directive only impacts specific industries: namely Operators of Essential Services and Digital Service Providers. These must take appropriate security measures and report incidents to a Competent Authority. The Competent Authority in turn then reports to the National CSIRT or Single Point of Contact (SPOC).
One year on it is fair to say that the NIS Directive is not proving trivial for most organisations to comply with, and there remains some uncertainty about who needs to take the initiative. Is it for industry to lead the way in establishing mechanisms for Incident Reporting to the Competent Authority, or vice versa?
When the compliance deadline first came about, few EU Member States had implemented the Directive. Since then, the numbers have more than doubled, but a number are still lagging behind. These delays in implementation undermine the purpose of the Directive. The NIS Directive was brought about to improve standards across the EU, by improving the collaboration between Member States.
What next?
Operators of Essential Services and critical Digital Service Providers will be on a journey, doing their bit to ensure compliance, through collaborating and sharing information about risks and threats. For most operators in the UK, the onus is on them to understand whether they are caught within the scope of the NIS Directive. If they believe they are, they will have registered with their Competent Authority, who should help them to understand guidance specific to their sector and help them to identify which of their systems could cause an impact on service.
The NIS Directive requires ongoing work and the culture of sharing information needs to be built on. Within the UK, the CiSP platform has grown over the past six years. CiSP is a community in which members share cyber information voluntary. Threatvine, the platform that powers CiSP has Incident Reporting at its heart. It was designed with those responsible for implementing National Cyber Strategies and enables operators to securely and efficiently meet the NISD incident reporting requirements.
The NCSC has provided some detailed guidance on this, much of the which is available on CiSP, as well as that on the public website as part of the NIS Guidance Collection, particularly the Cyber Assessment Framework (CAF).