What does the Network and Information Security (NIS) Directive mean to EU businesses?

In Information Security ByTeam Acumin / 12th April 2016

We all know that cybercrime does not respect European borders. In response to increasing cyber threats, the European Commission has created the Network and Information Security (NIS) Directive, which is set to be adopted imminently.

The European Commission states that one of its top priorities is to create a ‘Digital Single Market’. It claims that this will generate around €250bn (£200bn) in additional business, as well as creating many new jobs. The NIS Directive aims to protect this mark.

What is the NIS Directive?

Work on formulating the NIS was started in 2013 and is in its final stages. The Directive has three main aims:

• Improving Member State cooperation in both public and private sectors
• Improving cybersecurity in European States
• Mandating essential service companies such as transport, banking, energy and health to have risk management protocols. They must also report cyber security breaches to the authorities.

The European Commission believes that the NIS Directive will result in consumers having more confidence in the security of the technologies that they use every day. Digital networks that operate across European borders will be regarded as reliable. Having secured reliable networks will increase the business of European countries.

What are essential services?

The Directive is mainly aimed at “essential services” and digital service providers. There are five essential service sectors:

1. Energy – including energy production, storage and distribution
2. Transport – Air travel, road, rail and sea travel operators and ancillary services such as air traffic control, railway stations and ferry terminals
3. Financial services – Banking, credit institutions and stock exchanges
4. Healthcare – Including hospitals, GP surgeries, and private sector healthcare businesses. Water supply and distribution also comes under the health sector
5. Digital infrastructure – operators of the key internet infrastructure

The Directive will cover both EU-based companies and ones based outside the EU that provide essential services within it.

Actions required

Essential service providers must operate risk management procedures to secure the safety of their online services. This includes managing any security breaches and implementing back-up systems that will continue services in the event of a security incident. Businesses need to continually monitor, audit and test their systems.

If a system is breached or experiences a cyber attack, a full report needs to be filed to the Member State in which the security incident took place. This report must include the numbers of users affected by the incident, how long the incident lasted, which geographical area was affected and the extent of service disruption. Incident reports should also provide estimates of the economic and societal impact.

All companies affected by the NIS Directive will need to create and implement a NIS policy for all their IT and information systems. They must have procedures for reporting incidents. Large companies will need a response team that’s fully trained in reacting to security incidents.

Is the NIS Directive enough?

The NIS Directive is designed to produce a co-ordinated response to European cyber threats. What has not been made clear is how the European Community will regulate the Directive so that companies in all Member States adopt the same approach. Some countries, including Germany and France, tend to use legislation to enforce cyber security policies, whereas the UK likes to encourage industry to adapt a voluntary code of practice.

The Directive leaves it up to Member States to decide precisely which companies are classed as essential services, and this may lead to inconsistencies in different countries.

In the original proposals, ecommerce platforms, social networks, cloud service, search engines and app stores were included in the digital infrastructure category. These categories were then removed by the European Parliament and digital infrastructure was then defined as those “essential for the maintenance of vital economic and social activities”. Some countries, including France and Germany, want to widen this definition to return the excluded industries to the digital infrastructure classification. Social network, cloud services and search engine providers are against this, as they claim that complying with the Directive will be very costly.

What happens if Britain leaves the European Union?

It would be remiss not to consider that a referendum about Britain leaving the European Union takes place in June. If Britain does exit the EU, then the NIS Directive will not apply to it. This means that Britain must create its own cyber security policies. The easiest way to do this would be to essentially mirror most of the NIS Directive. If the government decides that the NIS Directive is a good system, then copying it makes sense.

If a UK company provides essential services in European countries outside of the UK, then these operations will still be covered by the NIS Directive if Britain leaves.

Due to high-profile hacks in recent months such as those involving TalkTalk and Ashley Madison, the public are concerned about cyber security. Whether Britain stays in the EU or not, there remains the need for robust cyber security policies. Good cyber security is essential for all businesses that have an online presence, whether they are regarded as essential services or not.

Security breaches can be costly. TalkTalk, for example, lost around 250,000 customers following its security breach and this had significant impact on the telecommunications firm’s revenue. Most companies need to spend money hiring top cyber security personnel and implementing robust security systems.

Beyond Europe

The Network and Information Security Directive is a response to the increased threat to essential European services posed by cybercrime, but it is not just a European threat. U.S. President Barack Obama has said:

“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”

As the internet does not recognise borders, many believe that the cyber threat requires a coordinated international response. The International Cyber Threat Task Force was set up with the belief that:

“It takes a network to defeat a network. We enable people from all over the world to learn, work, share and collaborate together to defeat cyber threats.”

The European NIS Directive may be effective in reducing cybercrime, but a wider worldwide response may also be needed.