22 August 2018
The Network and Information Security (NIS) Directive is intended to create a base level of security for organisations that are operating essential services within the EU.
The legislation came in on 6 July 2016 and became enforceable from 10 May 2018. The main sectors covered are energy providers, transport, banking, financial services infrastructure, health, water and digital infrastructure providers.
Organisations who operate within these sectors are termed “operators of essential services” and must implement the provisions of the directive to form the required base level of security for those services.
Unlike GDPR, which is a regulation which takes direct effect across all EU member states to ensure uniformity, the directive essentially enables each country to determine those effects. This means a lack of inconsistency across the EU, which is the opposite intent of GDPR. So, for example, fines which are levied, will likely differ in levels depending on whether a breach occurred in France, Italy or Germany, for example.
There is also the consequence of not having a centralised approach. Whereas it would have been simpler to centralise management of competent authorities, the Directive enables member states to involve multiple regulators, which is likely to create confusion for multi-jurisdictional organisations as to whom they report to.
The main effects of the directive will be:
Moreover, there is now an explicit recognition of the reliance placed on cloud computing services and digital search facilities and so places an obligation of the big US-based organisations to provide software-as-a-service (SaaS) to comply with the NIS Directive.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070