GDPR has stirred a frenzy of preparation in the business community on a scale unseen since the millennium bug. With the spotlight thrust so firmly on GDPR, another cyber security legislation from the EU has slipped quietly under the radar. It’s called the NIS Directive, and it came into effect on May 9, 2018.
Following the heavily publicised wave of cyber crime in recent years – the 2017 WannaCry ransomware attack, for example – cyber security has become a global hot topic. Both the NIS Directive and GDPR answer to the pressing need for better business cyber security processes.
So, what is the NIS Directive, how does it fit with GDPR, and what does it mean for UK businesses? Howard Williams from UK software house Parker Software, investigates.
What is the NIS Directive?
The NIS Directive is an EU directive on the security of networks and information systems. As a directive (rather than a regulation), it prompts EU countries to implement their own new cyber security laws in keeping with NIS parameters.
The NIS Directive aims to:
- Raise the levels of overall security and resilience of networks across the EU.
- Ensure that any essential networks, businesses and information systems are ready to deal with the increasing volume of cyber threats.
In short, the NIS Directive is a set of EU-defined principles designed to guide cyber security decision-making and legislation processes.
Who does it affect?
The businesses that fall under the NIS Directive legislation are those considered essential to the UK (and wider, the EU) economy. These businesses fall into one of two categories: operators of essential services (OES) established in the EU, and digital service providers (DSPs) offering services to persons in the EU.
OES companies are the providers of services in which a disruption could damage both the economy and society. These services, if interrupted by a security breach, would endanger the life, health or personal safety of the whole or part of the population.
DSPs are somewhat broader in nature. The UK has detailed three types of DSP that fall under the NIS Directive:
- Online search engines that allow users to search public parts of the world wide web.
- Online marketplaces – sites that act as platforms connecting buyers and sellers, excluding online retailers and classified ad sites.
- Providers of cloud computing services, which are defined as any provider of access to shareable resources (physical and digital). This includes public cloud services such as IaaS, PaaS and SaaS. (Infrastructure as a service, platform as a service, and software as a service respectively.)
To simplify, limited companies whose loss of service would have the greatest effect on the UK economy must comply with the NIS Directive. This includes both direct effect and through the impact, a breach would have on other companies.
NIS and GDPR
GDPR is widespread, applying to every business that handles the data of an EU resident. Meanwhile, the NIS Directive only applies to a certain set of businesses. However, there are some overlapping qualities between the two.
- Both GDPR and the NIS Directive require risk-based security measures.
- Both GDPR and the NIS Directive impose notification requirements on businesses that have suffered a breach.
- Incidents with a ‘substantial impact’ under the NIS Directive have the same 72-hour notification timeframe as GDPR.
- The NIS Directive is a guideline to be used by member countries in the creation of their own cyber security legislation. GDPR, on the other hand, is a set regulation that applies across all member countries, with no variation.
- While GDPR issues penalties based on the type of data breached, the NIS Directive requires reports on any breach that effects service – regardless of the data compromised (if any). The NIS Directive is concerned with security breaches and incidents that have had a ‘substantial impact’ – be that danger to public safety, material damage, a high number of those affected, or severe impact on company integrity.
- While GDPR focuses on personal data and how it is used, the NIS Directive is focused on improving overall network security.
Cyber security power-up
In the flurry of GDPR emails, articles and deadline panic, it is easy to see how the narrower and more technical NIS Directive has been overshadowed. Unheralded and largely unnoticed, the NIS Directive slipped under the radar while we were all busy focusing on data consent.
However, it’s worth taking the time to read up on NIS technical guidance – OES, DSP, or not. The rise of cyber crime means the need for ever-improving cyber security procedures. It’s been recommended that businesses of all sizes, from all sectors, pay attention to the NIS Directive.
After all, as we transition to an increasingly digitally connected world, a strong cyber-defence is the best way to offer peace of mind for both you and your customers.