The NIS Directive - Cyber Security's answer to GDPR?

22 August 2018

• cyber security
• data protection
• GDPR
• threat management
• personal data
• data privacy
• security breach
• software as a service
• SaaS
• cyber essentials
• NIS
• Network and Information Security Directive

The Network and Information Security (NIS) Directive is intended to create a base level of security for organisations that are operating essential services within the EU. 

The legislation came in on 6 July 2016 and became enforceable from 10 May 2018. The main sectors covered are energy providers, transport, banking, financial services infrastructure, health, water and digital infrastructure providers. 

Organisations who operate within these sectors are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.

Unlike GDPR, which is a regulation which takes direct effect across all EU member states to ensure uniformity, the directive essentially enables each country to determine those effects. This means a lack of inconsistency across the EU, which is the opposite intent of GDPR. So, for example, fines which are levied, will likely differ in levels depending on whether a breach occurred in France, Italy or Germany, for example.

 There is also the consequence of not having a centralised approach. Whereas it would have been simpler to centralise management of competent authorities, the Directive enables member states to involve multiple regulators, which is likely to create confusion for multi-jurisdictional organisations as to whom they report to. 

The main effects of the directive will be:

• Financial penalties for breaches which impact essential services. These can be in addition to the fines levied under GDPR which will also apply where there is a breach of personal data, although it remains to be seen whether either of the NIS competent authority or data supervisory authority would just impose the one fine, rather than the ‘double-jeopardy’ fine for the same breach.

• Mandatory security breach notification. The GDPR’s 72-hour breach notification requirement is suggested to be the mirror-image of what is required under the NIS Directive.

• Cross-EU cyber cooperation to help studies and increase defences.

• Base level of security control implementation, such as Cyber Essentials in the UK, particularly as mandated when contracting for any public-sector work.

• Supply-chain management to ensure uniformity and abiding to the same standards as the lead organisation.

• The Directive, in particular, will impact the digital services market. 

Moreover, there is now an explicit recognition of the reliance placed on cloud computing services and digital search facilities and so places an obligation of the big US-based organisations to provide software-as-a-service (SaaS) to comply with the NIS Directive.