NIS: How to prepare your organization for the NIS Directive
Is your organization ready for the NIS directive? In May this year, the new computer network and information security directive will take effect in the EU. To avoid the risk of steep fines, it is necessary to have a systemized IT security work in place.
2018 will be a busy year for companies using any kind of information technology. You have probably already heard of the EU regulation GDPR, which will, as of May 25, govern how companies can collect and handle personal data. But much less has been written about NIS, “Network and Information Security”. It is an EU directive that is in essence about increasing network and information security for social and digital services in the EU.
The NIS Directive takes effect on the tenth of May, before the GDPR, but since it is a directive, each EU member must decide on how to transpose the directive into the law (as opposed to a regulation that takes effect immediately). In Sweden, the government has proposed a new law which, if it is adopted, will come into force on August 1st this year. This means that companies and organizations still have some time to start working according to the NIS Directive’s principles.
What is NIS?
The NIS Directive affects the organizations active in one (or more) out of seven sectors of society, namely energy, transport, banking, financial market infrastructure, health care, supply and distribution of drinking water, and digital infrastructure. The background to the directive is that when more and more parts of society’s activities are dependent on digital infrastructure, the reliability and security of the systems becomes crucial.
“Network and information systems play an increasingly important role in society, and their reliability and security have now become fundamental to economic and social activities. The lack of common regulation for providers of socially important digital services has led the member states to have different levels of readiness against cyber threats. NIS is a way to strengthen information security in each sector,” says Visar Lapashtica, information security specialist at KPMG.
The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.
Like the GDPR, the NIS Directive dictates steep fines for those who do not meet the requirements, although it is not as clearly defined but up to each country to set their levels. Swedish companies should count on sums of up to ten million SEK in Sweden, and if the company operates in several EU countries, it may be fined there too.
What does NIS mean for Swedish companies and organizations?
For companies, the NIS Directive is primarily about reporting IT incidents, and requirements to work structured and methodically with its IT security work. For government agencies, all sub-contracts with IT companies will have to include requirements for them to report any IT incidents in the same way as the agencies themselves.
The requirement to report IT incidents may mean a new way of thinking for many companies and government agencies. In the past, you might have the instinct to cover up a discovered data breach to avoid damaging your reputation with customers and citizens. The NIS Directive instead requires reporting incidents so that companies and government agencies can learn from each other, and to share knowledge between EU members.
“If the organization allows access to sensitive data via mobile devices and the device is lost, it is important to quickly lock and wipe the device to prevent information from being stolen.”
Visar Lapashtica, KMPG
Exactly what it means to ”work structured and methodically with your IT security” will be defined by the regulatory authority that will be set up for each of the seven sectors covered in the NIS Directive.
“The focus will be on maintaining service availability. This and incident reporting are two high priority areas. If the organization has a systemized information security work in place already, it will be an easy transition to the NIS directive,” says Visar Lapashtica.
What can companies and government agencies do today to prepare?
A good starting point is the standardized framework for managing risks related to IT security.
“The ISO 27000 series is an internationally recognized standard for information security. It addresses risk management, how the organization can value assets, incident management and other areas of information security issues. It may not be necessary to certify your organization from the start, but the standard is a guide to how to start working with these issues,” says Visar Lapashtica.
A culture of security is now a must for sectors that impacts our economy and society as a whole. The NIS Directive want to address just that.
In order to report incidents, the first thing is to even know they happened. Therefore, one of the prerequisites for compliance with the safety level in the NIS Directive is continuous monitoring of critical networks. Another prerequisite is to be able to ensure that access to sensitive data and critical systems does not end up in the wrong hands.
“If the organization allows access to sensitive data via mobile devices and the device is lost, it is important to quickly lock and wipe the device to prevent information from being stolen. Therefore, an MDM system is central to a structured information security work,” says Visar Lapashtica.