NIS – do your security systems comply with the latest directive?
Hands up if you’re aware of the Network and Information (NIS) Directive and what it means for your business. Unsure of the details? You’re not alone. The NIS Directive is the first piece of EU-wide legislation designed to boost the overall level of cybersecurity across member states and was launched just a few weeks before the EU’s General Data Protection Regulation (GDPR).
Whilst the GDPR received far greater levels of publicity – largely due to consumers’ rights and the understanding of online privacy – the NIS Directive is in reality far more important, addressing critical infrastructure services such as energy, transport, finance and digital infrastructure. Any business that classes itself as an operator of essential services (OES) or a digital service provider (DSP) must ensure compliance.
The directive imposes the same substantial financial penalties for non-compliance as the GDPR. In the UK, for example, non-compliant companies could face fines of up to £17 million, or four percent of global turnover. It’s been reported that enforcement of the directive could be a lot more stringent than that of the GDPR. As these fines could debilitate businesses, it is imperative that the relevant companies undertake due diligence in meeting its requirements.
Key NIS Directive compliance requirements
Although new legislation often means a lot of work for businesses, its arrival should be welcomed. We’re seeing an ever-increasing number of sophisticated cyberattacks, including the devastating NotPetya cyberattack in June last year, which cost shipping giant Maersk $300m to repair. The attack forced the company to halt operations at 76 terminals around the world¹. The NIS Directive will ensure businesses have the safest and smartest security solutions in place to protect their networks and data from such prolific threats.
In order to comply with the NIS Directive, companies must meet a number of technical and organisational requirements. The technical requirements include:
• An understanding of assets and a mechanism to identify unknown devices
• A mature vulnerability management program
• Mature threat detection systems, including detecting, identifying, and reporting capabilities
• Effective incident reporting mechanisms, including systems to record and report incidents within 72 hours of detection
• Mature incident management
• Response and recovery plans.
The organisational requirements consist of:
• Appropriate management policies and processes to govern their approach to the security of network and information systems
• An organisational approach to risk management
• Understanding and managing security risks throughout the supply chain
• Appropriate staff training and awareness regarding network and information system security.
How to select the right technology vendor
By now it is clear that a business is only as strong as its weakest link. It only takes one minor flaw in an internet-connected device to bring down an entire network, which many recent cyberattacks have demonstrated. That is why ensuring compliance with the NIS Directive will require a multi-layered cyber defence strategy incorporating modern security controls. That means it is important to select a vendor with the right expertise.
When considering a new partner, businesses must find out if they have a device inventory that allows them to track assets; whether they have a vulnerability management policy and how they communicate this with the channel; and if they have any industry-recognised certifications, such as Cyber Essentials. Furthermore, are they in control of their own supply chain and do they offer suitable training? This is important as although suppliers alone won’t make a firm compliant with the NIS Directive, working with technology developed and deployed without security in mind could potentially compromise the integrity of a network.
The right partner will not only help you meet regulatory requirements, but they’ll also provide you with cutting-edge, technological solutions that will help your business to run safely and smartly. Learn more about our dedicated focus on cybersecurity: https://www.axis.com/about-axis/cybersecurity