Banking and finance. Energy. Health. Telecommunications & digital infrastructure. Transport. Drinking water supply and distribution. As much as these sectors may differ from one another, they all have at least one important trait in common: they are critical to our society and to our economy, providing essential services. Because of their critical nature, these sectors fall under the scope of the EU’s directive on Security of Network and Information Systems (NIS), as of May 2018.
NIS directive, the first piece of EU-wide cybersecurity legislation, is part of the EU Cybersecurity strategy proposed by the European Commission. Its goal is to enhance cybersecurity across the European Union in order to prevent cybercriminals from disturbing not only economic activities, causing substantial financial losses in the process, but also essential services. As such, that strategy very logically resulted in the NIS Directive, which is the first cybersecurity law of the EU that imposes relevant obligations both on the EU and on its Member States.
Does your organisation fall under the scope of the NIS directive?
Network and information systems & services play an important, if not central, role in our society, especially in supporting and fostering economic growth. Consequently, they need to be at all times reliable and secure. For that reason, the NIS Directive applies to Operators of Essential Services (OES) who depend on network & information systems. These organisations are public or private entities providing a service which is essential for the maintenance of critical societal and/or economic activities and fall under one of the following industries: energy, transport, health, banking, finance, digital infrastructure, water supply and distribution. However, an organisation is not automatically an OES, it first needs to be officially appointed by a national sectoral authority. Likewise, it is important that for a potential incident to have a significant disruptive effect on the provision of that service.
The NIS equally applies to critical Digital Service Providers (DSP), such as online marketplaces, online search engines and cloud computing services. Contrary to OES, who need to be established within the EU to fall under the scope of the directive, DSP can be based outside of the EU as long as they provide services within the EU.
Plenty of benefits.
Besides the fact that you are demonstrating compliance and eliminating the risk of getting fined by the competent authority, complying with the European NIS Directive brings with it plenty of other benefits. For one, it increases your resilience to cyberattacks. It also minimizes the impact of potential incidents. Moreover, it provides indispensable assistance with your risk management as well as it prevents the accumulation of external audits.
Last but not least, complying with the NIS Directive actually helps you grow your business, since it improves the quality of your product(s) and/or service(s) and it increases your trustworthiness towards both your service providers and your customers.
Please check out my next blog post to learn which organizational and technical measures the NIS Directive requires.