Policy Q&A: The Basics of the NIS Directive

Share and earn Cybytes
Facebook Twitter LinkedIn Email

In this Q&A, Danielle Kriz, senior director of Global Policy, and Fred Streefland, senior manager of Product Marketing for EMEA, cover the basics of the EU’s Network and Information Security Directive and what it might mean for organizations.

Fred: Let’s talk about a new cybersecurity law in the European Union, the Network and Information Security (NIS) Directive. What is it, who does it apply to, and what do they need to do?

Danielle: It’s the EU’s first law specifically focused on cybersecurity, which I blogged about in May.  Through transposition into national laws, it applies in all 28 EU member states.

The NIS Directive aims to improve the cybersecurity capabilities of the EU’s critical infrastructure by setting security and incident notification obligations across many types of organizations offering essential and digital services. The NIS Directive also requires member states to enact national cybersecurity strategies and engage in EU cross-border cooperation, among other measures.

The requirements on industry outlined in the NIS Directive are applicable to two categories of entities: operators of essential services and digital service providers. Although the directive outlines generally what is in these categories, each member state is responsible for identifying the OES established in their territories that are in scope.

  • Operator of Essential Services (OES): Sectors covered include energy (e.g., electricity, oil and gas companies), transportation (including air, rail, water and roads), healthcare (like hospitals and clinics), certain banking and finance (such as credit) institutions, suppliers and distributors of drinking water, and digital infrastructure (like internet exchange points).
  • Digital Service Provider (DSP): There are three categories: online marketplaces, online search engines and cloud computing services. The Directive has some small company exceptions for DSPs.

The directive sets security and incident notification obligations on these organizations. They must:

  • Take appropriate and proportionate technical and organizational measures to manage risks to the security of their network and information systems, and these measures must “have regard to the state of the art.”
  • Take appropriate measures to prevent incidents affecting the security of their network and information systems.
  • Notify competent national authorities of security incidents of particular magnitudes.

These requirements are related to the networks and information systems used to provide the covered essential or digital services. The requirements also apply whether the OES or DSP manages its own network and information systems or outsources them.

The EU’s Agency for Network and Information Security (ENISA) has details on the directive.

Fred: How is the NIS Directive rolling out? 

Danielle: The NIS Directive sets out objectives and policies to be attained through legislation at an EU member state level. All 28 EU countries were required to put the directive into national law by May 2018 (although the reality is that as of August 2018, some still were behind).

The impact will vary based on how each country previously regulated companies for cybersecurity.  Some member states will make big changes and introduce new laws. Other member states might have existing laws into which they will need to integrate NIS requirements.

ENISA has issued non-binding guidelines for NIS so companies may want to look there. But many member states are expected to issue their own requirements. The European Commission has published a useful “state-of-play” of member states’ implementation of the NIS Directive.

Fred: Do non-EU headquartered companies need to worry about NIS?

Danielle: Yes, if they offer any of the covered essential or digital services in one or more EU countries.  Regardless of whether a company is headquartered in the EU or not, companies covered under NIS must follow the law in the EU country where they have their main establishment.  In fact, even companies providing digital services in the EU with no physical presence in the EU at all may be affected by the NIS Directive.

Therefore, we recommend that organizations operating in EU countries should do research and obtain legal advice on whether NIS applies to them and the exact details of what they must do.

Danielle: Now, let me ask you some questions, Fred. Assuming you are responsible for the security of an organization that needs to comply with the EU Network and Information Security Directive, what does this mean to you and the organization? As a former CISO, what would you do and how would you approach this?

Fred: Every operator of essential services or digital service provider in the EU needs to comply with this NIS Directive (with some small company DSP exceptions). You mentioned the requirements: they need to take measures that have regard to state-of-the-art technologies to manage the risks of their network and information systems. They must take appropriate security measures to prevent and minimize the impact of security incidents. Besides this, they also have the obligation to report security incidents of a certain magnitude to their national authority.

As a responsible person for information security, you need to become “in control” of the risks of your network and information systems. So, I would focus on what matters and start with getting visibility into the security of your network and information systems.

This means understanding:

– Which networks and information systems support the covered services and how they are currently secured.

– Whether the products and services you use to protect those networks/systems account for the state of the art.

–  What measures you are taking to prevent and minimize the impact of incidents on those networks and systems.

–  If you are able to track and identify the impact of incidents that may occur so that you are able to notify authorities as needed.

I also recommend reading a recent blog by Greg Day, our CSO for EMEA, that explains how CISOs can view the NIS Directive as a positive opportunity for change.

Danielle: Again, from the CISO perspective, what is the final takeaway you’d like to share?

Fred: It is imperative to get proper visibility into your networks, information systems and data. In my opinion, that’s a prerequisite for effective security and compliance.

Palo Alto Networks is committed to assisting our customers on their road towards NIS Directive compliance. If you want to know how we can help, please attend our upcoming EU NISD webinar.


For more information on the NIS Directive, download our paper What Is the NIS Directive?

The information provided in this blog, concerning technical legal or professional subject matters, is for general awareness only, may be subject to change, and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws. Always consult a qualified lawyer on any specific legal problem or matter.

The post Policy Q&A: The Basics of the NIS Directive appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?