The NIS Directive – What it Really Means

Last Monday’s announcement that the European Union (EU) has informally agreed with the Network Information Security (NIS) Directive is a significant achievement that will shape the European cybersecurity landscape. The NIS Directive provides an EU-level harmonized approach to cybersecurity, embracing every EU member state and a wide group of “operators of essential services” that are active in energy, transport, banking, financial services, healthcare and other critical industry segments. These operators must now prepare to implement the Directive’s requirements to ensure compliance and avoid potential penalties.

NIS empowers authorities to audit private industry for suspected non-compliance. Enforcement will be combined with related regulations. This includes the European General Data Protection Regulation, which outlines security requirements and requires privacy breach reporting, subject to penalties and fines.

When the NIS Directive is formally adopted, each member state will have 21 months to complete implementation.  The states will then have another six months to identify operators of essential services that are within scope, and these operators must also comply with the Directive’s security requirements. For EU governments, the NIS Directive now requires that each member state adopt a national cyber security strategy. This includes creating a policy and regulatory environment for information security and the creation of a national computer security incident response team (CSIRT).

Incident reporting is an important requirement of the NIS Directive. Groups within the scope of the NIS Directive must notify a central authority of incidents that could significantly impact the continuity of services. Public disclosure may occur at the discretion of the controlling authority when public awareness is necessary to prevent or handle an incident. Notification of an incident must be made to authorities “without undue delay,” normally expected within 24-72 hours after the breach is discovered.

Recognizing that threat intelligence sharing is critical in the response to cybercrime, the NIS directive also calls for the establishment of a cooperation network to coordinate cyber defense efforts, in particular where a cross-border issue is at stake. This will include sharing early warning threat intelligence between national authorities.

Finally, entities within the scope of the NIS Directive must implement “state-of- the-art” security measures that “guarantee a level of security appropriate to the risk.”  This suggests that entities within the scope of NIS need to consider and adopt behavioral based detection systems that are now the modern standard for advanced attack prevention.

Because the NIS Directive is not finalized, it is possible some changes will be made to exact terms and requirements. However, it is not expected to change substantially from what has been agreed this week. Below is guidance of what businesses need to do to ensure they are compliant:

Penalties
It is the responsibility of EU member states to determine penalities, but the Directive does specify that penalties must be “effective, proportionate and dissuasive.”   As noted earlier, NIS grants authorities the power to initiate audits of private industry for suspected non-compliance. Enforcement will be combined with related regulations, in particular the penalties and fine included in the future European General Data Protection Regulation.

Security Standard
The NIS Directive requires that entities within the scope of the NIS Directive implement “state-of-the-art” security measures that “guarantee a level of security appropriate to the risk.” 

Next Steps for Businesses
With adoption of the Directive likely in early 2016, business should begin preparing. This includes:

1.  Implementing advanced behavioural-based detection systems that are now the modern standard for prevention of advanced attacks;

2.  Preparing an incident response readiness programme that will comply with breach reporting requirements in a timely manner (24-72 hours after breach minimum);

3.  Utilizing an intelligence-based security strategy that can be integrated with new NIS threat intelligence sharing programmes;

4.  Adopting an internal security and response strategy and coordinating this with the board of directors, chief legal officer, and other senior executives;

5.  Reviewing all internal security processes and preparing self-audit capabilities required by national authorities;

Businesses may face challenges if they don’t take these actions quickly, within the initial 21 months.

It is important to recognize that mere “compliance” is not adequate to protect against modern advanced attacks. Real security is more than compliance—it is a comprehensive security programme that includes non-signature-based detection and advanced threat defenses.