Protecting our national infrastructure with the NIS Regulations
The NIS Directive has come into force in the UK today, in the form of The Network and Information Systems Regulations 2018. The Regulations are designed to protect our nation’s critical infrastructure, such as power and telecommunications.
Organisations that operate ‘Essential Services’ are now legally required to introduce robust safeguards against system failure and cyber attacks. And much like under the GDPR, organisations must report an actual or suspected breach to authorities, within 72 hours. The penalty for non-compliance? £17 million.
The new Regulations give industry regulators the power to assess the information and cyber security of Essential Services, and issue legally-binding improvement instructions, should the assessment show any weaknesses.
What is an Essential Service?
Essential Services include: electricity; oil; gas; air, maritime, rail , and road transport; water; healthcare; and, digital infrastructure. Operators will be regulated by sector-specific ‘Competent Authorities.’ There are thresholds for applicability to each of these sectors, which focus the Regulations on medium, large, or strategically significant providers.
Fines for non-compliance and breaches can be as high as £17 million, in addition to those already provided for by the General Data Protection Regulations.
However, the Regulations also create a ‘reserve power’ to require any organisation to comply with the new security requirements, if authorities identify a threat to public safety, a significant social or economic impact, or if national security could be impacted in any way.
What does compliance look like?
The National Cyber Security Centre has developed a systematic method of assessing the extent to which an organisation is adequately managing cyber security risks, when delivering Essential Services. This new assessment method, the Cyber Assessment Framework (CAF), is a framework to which Essential Services are expected to align. The CAF meets the needs of the NIS Directive, the Regulations, and wider Critical National Infrastructure protection requirements.
Organisations should ensure their security arrangements meet or exceed the requirements of the Regulations, and the CAF.
How can we help?
Data Protection People are able to hand-hold Operators through their compliance journey. Our team of CESG-NCSC Certified Professionals are able to conduct scope assessments, gap analysis, remediation work, and mock inspections. We can also respond to security incidents within Essential Services or Critical National Infrastructure.
We have a detailed working knowledge of both critical national infrastructure issues, and the NIS Directive. Our team has conducted threat assessments, and capability audits, for aerospace, shipping, and defence (including on the ground in Afghanistan). They hold industry qualifications such as CESG Certified Professional, Certified Information Systems Auditor, BSI Lead Auditor, and Certified Information Systems Security Professional.
If you are not sure whether the Regulations apply to you, or if you need help to bring your organisation into compliance, get in touch!