NIS Directive Compliance: It’s Just as Important as the GDPR

IT security managers have had plenty on their plate this year co-ordinating compliance efforts in advance of the forthcoming EU General Data Protection Regulation (GDPR). But while the sweeping new privacy law has dominated the headlines for the past year or more, there’s another important piece of regulation on its way from Brussels, that will apply specifically to “operators of essential services” (OES). It’s known as the EU directive on the security of Networks and Information Systems (NIS).

With the same huge fines of up to £17m or 4% of global annual turnover levied for non-compliance, it’s vital that you consider the NIS Directive alongside GDPR efforts.

Protecting Essential Services

This new piece of legislation is slightly different from the GDPR in that it is a directive rather than a regulation, meaning it is more open to interpretation by individual member states. The government is currently consulting over exactly this. The other key difference is that, rather than focusing on any organisation which processes consumers’ personal data, it covers only OES organisations such as those in utility, healthcare, transport and similar sectors. As such, it’s aimed at improving general security standards within such organisations to ensure availability even in the event of a major attack.

The National Cyber Security Centre (NCSC) has this:

“Recent events such as the WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have. There is therefore a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare.”

There’s still plenty to be thrashed out during the consultation stage, but with a deadline for implementation into UK law of 9 May 2018, it pays to start preparations now if you want to avoid a last minute GDPR/NIS compliance rush.

Time to Comply

The NIS Directive has 14 key principles, as part of four top-level objectives:

  • Have “appropriate structures, policies and processes” in place to understand, assess and manage security risks
  • Have “proportionate” security in place to protect key services and systems from attack
  • Ensure security remains effective and can detect any “events” which could threaten essential services
  • Put in place capabilities to minimise impact of an incident on delivery of essential services

Fortunately, there is plenty of information already published on each topic area, which should speed compliance efforts. As with the GDPR, following best practice frameworks like ISO27001 and the government’s Cyber Essentials will also help.

At Centrify, we’re particularly interested in the attention NIS pays to identity and access control; a key part of effective cybersecurity. IT requires organisations to be clear about who is authorised to access their network and information systems or associated sensitive data, carefully restricting and periodically reviewing such rights.

It adds:

“For highly privileged access it might be appropriate to include approaches such as two-factor or hardware authentication.”

It’s good to see access controls getting major billing here. Increasingly cybercriminals are taking advantage of password-based systems and the organisational “weak link” of poorly briefed staff to steal credentials in order to gain full network access. To ensure NIS compliance and all-round good security practice, we’d recommend at the very least that organisations implement:

  • Single sign-on and multi-factor authentication for key systems to reduce the risk of password-theft
  • Least-privilege access policy so general users and system administrators only have access to the systems and applications they need for their roles
  • Strong user education programs to make staff aware of common phishing and other tactics

As the brute force attacks on Scottish Parliament staff recently highlighted, password-based authentication systems are woefully ineffective against modern cybercriminals and nation state hackers. So, ensure you take the time to revisit your access controls as part of NIS Directive compliance efforts. If you haven’t, make this a priority today; and be sure to consider it alongside GDPR compliance plans to avoid duplicating efforts.

Centrify is running a monthly blog series, focusing on a different part of new EU legislation each time. In our first blog, we explained the scope of the GDPR. In our second blog, we addressed the first key step, Data Mapping. Our third blog covered Brexit and its impact on the GDPR, followed by a fourth focusing on data flows.