You may have heard about the GDPR, especially if you read our last blog. But there is another EU legislation coming in to effect in May this year, that appears to have fallen under the radar.
The Directive on Security of Network and Information Systems (NIS Directive) requires operators of essential services (OES)s and digital service providers (DSPs) to apply effective security measures to any associated risks, plus to have measures in place that minimise the impact of incidents occurring, ensuring business continuity.
What does this mean?
Broad guidelines have been given for how DSPs should be improving their cyber security. It will not affect any DSPs with less that 50 employees and whose annual turnover doesn’t exceed €10 million.
Below are four basic areas of the NIS Directive legislation:
- Security requirements
A DSP must have the appropriate security measures, organisational structures, policies and processes in place to show that they are doing everything in their power to prevent the risk of a cyber-attack and that they are protecting their services and systems at all times. They must demonstrate that they have an understanding of the incidents that could occur and that they have measures in place to recognise international cyber security standards.
- Incident reporting
The European Commission can issue an Implementation Act that will further establish the incident reporting guidelines. DSPs will have 72 hours to report an incident from the time of discovery, along with any related confidential information concerns.
- Competent authorities to monitor compliance
The UK government has proposed that the Information Commissioner’s Office (ICO) should act as the authority to monitor implementation and compliance. They will be responsible for deciding whether an incident should be made public, whether information should be obtained to assess compliance, identifying breaches of the Directive and enforcing any penalties.
- Penalties for non-compliance
DPSs will receive a less forceful approach to monitoring compliance with the NIS Directive than OESs, with enforcement only being applied after the incident has occurred, or if they are reported to be non-compliant.
The UK consultation document suggests that the financial penalties for non-compliance will be made up of two bands.
Band one will be for less serious offences, such as failure to comply or cooperate with instructions given by a competent authority, or for a failure to report incidents. Resulting in a maximum fine of €10 million or 2% of annual turnover.
Band two will be for failing to implement the appropriate security measures, resulting in a maximum fine of €20 million or 4% of annual turnover.
What are your thoughts on the NIS Directive? Are you compliant? SCS Technology would love to hear your thoughts on Twitter @SCSTechnology.