Regulation & Compliance

EU NIS Directive: The European Union’s First Cybersecurity-focused Legislation

Alex Campanelli | June 22, 2018

Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high common level of security of network and information systems within EU.” Network and information systems, and the essential services they support, play a vital role in society; their reliability and security are essential to everyday activities.

The EU NIS Directive has three main components: (1) improving cybersecurity preparedness of each Member state; (2) increasing cross-border collaboration among EU Member states; and (3) improving risk management and incident reporting obligations for “operators of essential services and digital service providers” by requiring National Supervision of Critical Sectors in each Member state. The impact of the Directive is two-fold and has implications for both the EU Member State Computer Emergency Response Teams (CERTs) as well as the Operators of Essential Services (OES).

With the focus of the Directive on increasing National Security, every EU Member state was required to transpose the Directive into national law by May 9, 2018. Each Member state then has until May 2019 (one year) to provide cybersecurity assessments of their country’s “operators of essential services.

The Directive is wide-reaching, and includes “operators of essential services” (OES) in the following sectors: energy, transport, banking, financial market infrastructures, healthcare, and digital infrastructure.

The Directive also includes important digital businesses, referred to as "digital service providers" (DSPs), who will also be required to take appropriate security measures and to notify “substantial incidents” to the competent authority. This category includes online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online), cloud computing services, and search engines.

For EU Member State CERTs and other European regulatory agencies, BitSight provides the ability to rapidly assess the cybersecurity of third parties (i.e. operators of essential services) and enables EU Member states to continuously monitor (i.e. “supervise”) the cybersecurity of those third parties. EU Member state CERTs can leverage BitSight to continuously monitor and assess the cybersecurity of the organizations deemed “operators of essential services” within their country through both Security Ratings and Sovereign Security Ratings.

For OES, the Directive requires them “to take appropriate security measures and to notify serious incidents to the relevant national authority.” Security measures include: (1) preventing risk, (2) ensuring security of network and information systems; and (3) handling incidents in a way that prevents and minimizes the impact on IT systems. BitSight provides organizations the ability to continuously monitor their own security posture, be alerted to potential exploitations, and to leverage forensics data to quickly respond to security incidents.

As May 2019 approaches, institutions will need to be prepared to meet the Directive’s guidelines. Not only will they have to comply with these regulations, but they will also need ways of monitoring and assessing both their own security posture and that of their OES. BitSight Security Ratings and Sovereign Security Ratings are the optimal solutions for continuous first and third party cyber risk management.

Want to learn more about cybersecurity regulations and compliance?

READ MORE

Suggested Posts

FFIEC IT Handbook Updates: Business Continuity Is 2020 Focus

In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an update to the Information Technology Examination Handbook (IT Handbook). This handbook is a guide for examiners at its member agencies, which...

READ MORE »

Australian Companies Now Have 6 Months For APRA Compliance

Early in 2019, unknown threat actors attempted to hack the Australian federal Parliament’s computer network and the servers used by every politician, staffer, and security officer in Parliament House. Authorities believe there is a strong...

READ MORE »

Texas Senate Bill 820: New Regulation Takes Aim at Cyber Threats in Education Sector

Schools and colleges are facing an alarming increase in cybersecurity incidents. Some hackers seek ransoms while others see value in scooping up personally identifiable information to sell to identity thieves.

READ MORE »

Subscribe to get security news and updates in your inbox.