<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Regulation & Compliance

EU NIS Directive: The European Union’s First Cybersecurity-focused Legislation

Alex Campanelli | June 22, 2018

Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high common level of security of network and information systems within EU.” Network and information systems, and the essential services they support, play a vital role in society; their reliability and security are essential to everyday activities.

The EU NIS Directive has three main components: (1) improving cybersecurity preparedness of each Member state; (2) increasing cross-border collaboration among EU Member states; and (3) improving risk management and incident reporting obligations for “operators of essential services and digital service providers” by requiring National Supervision of Critical Sectors in each Member state. The impact of the Directive is two-fold and has implications for both the EU Member State Computer Emergency Response Teams (CERTs) as well as the Operators of Essential Services (OES).

With the focus of the Directive on increasing National Security, every EU Member state was required to transpose the Directive into national law by May 9, 2018. Each Member state then has until May 2019 (one year) to provide cybersecurity assessments of their country’s “operators of essential services.

The Directive is wide-reaching, and includes “operators of essential services” (OES) in the following sectors: energy, transport, banking, financial market infrastructures, healthcare, and digital infrastructure.

The Directive also includes important digital businesses, referred to as "digital service providers" (DSPs), who will also be required to take appropriate security measures and to notify “substantial incidents” to the competent authority. This category includes online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online), cloud computing services, and search engines.

For EU Member State CERTs and other European regulatory agencies, BitSight provides the ability to rapidly assess the cybersecurity of third parties (i.e. operators of essential services) and enables EU Member states to continuously monitor (i.e. “supervise”) the cybersecurity of those third parties. EU Member state CERTs can leverage BitSight to continuously monitor and assess the cybersecurity of the organizations deemed “operators of essential services” within their country through both Security Ratings and Sovereign Security Ratings.

For OES, the Directive requires them “to take appropriate security measures and to notify serious incidents to the relevant national authority.” Security measures include: (1) preventing risk, (2) ensuring security of network and information systems; and (3) handling incidents in a way that prevents and minimizes the impact on IT systems. BitSight provides organizations the ability to continuously monitor their own security posture, be alerted to potential exploitations, and to leverage forensics data to quickly respond to security incidents.

As May 2019 approaches, institutions will need to be prepared to meet the Directive’s guidelines. Not only will they have to comply with these regulations, but they will also need ways of monitoring and assessing both their own security posture and that of their OES. BitSight Security Ratings and Sovereign Security Ratings are the optimal solutions for continuous first and third party cyber risk management.

Want to learn more about cybersecurity regulations and compliance?


Suggested Posts

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

Far reaching in its applicability, GDPR extends well beyond Europe and affects any...


NERC CIP-013-1: Effective Date, Preparation Strategies, & Impact

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability...


Is Your Risk Management Program Ready for the New European Banking Authority’s Guidelines?

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June...


Subscribe to get security news and updates in your inbox.