The Network and Information Systems (NIS) Directive in 2021

At Risk Ledger, we've made it our mission to enhance trust and security across the global supply chain ecosystem by making it easier for organisations to share information and collaborate to reduce risks.

While awareness about the importance of implementing a comprehensive information security programme that takes supply chain risks into account has grown, prioritising and resourcing this is still a struggle for many organisations.

The NIS Directive (NIS-D), passed into law in 2018 across the EU, is an attempt to set a common level of security for network and information systems across the economic block to protect critical national infrastructure systems which play a vital role in the economy and wider society. It aims to address the threats posed to these important systems from physical, environmental and most notably, cyber incidents.

For us at Risk Ledger, the inclusion of specific obligations for organisations to actively manage supply chain risks in the NIS-D is an important recognition that a comprehensive cyber security regime must properly address the risks introduced by working with a network of third parties.

This blog is a brief introduction to the NIS-D, who it applies to and what it it is designed to achieve.

For those of you reading this in the UK, It is important to remember that the NIS-D was incorporated into UK law before the UK left the EU so the obligations in the law are still very much applicable to you if you work for a relevant organisation in the UK.

Talking of relevant organisations, let's take a moment to be clear about who the NIS-D is applicable to.

Are you in Scope?

I should start here by saying that if you work in a security role at an organisation that falls in scope of the NIS-D but are just finding that out via this blog, there has been a serious failure somewhere along the line and your first step should be to get in touch with the relevant competent authority for your industry.

NIS-D applies to what the Directive calls 'Operators of Essential Services' (OES) and 'Relevant Digital Service Providers' (RDSPs). These are organisations who operate and maintain infrastructure critical to the good functioning of the national economy and society such as transport, energy, water, health, and digital infrastructure.

How does the law work in practice?

It is important to understand how the law is implemented to fully understand how to fulfil your obligations and avoid sanctions for poor risk management controls.

As I mentioned earlier, the law applies to specific types of organisations who operate essential services but there are additional, more detailed criteria about the reach of their services and who depends on their services which are determined by the regulating authorities for the NIS-D.

These organisations operate in the Critical National Infrastructure (CNI) industries listed above and each one of those industries has a regulator which has been designated as a Competent Authority for the purposes of the NIS-D.

The role of Competent Authorities can be described by these four points:

1. They prepare and publish NIS-D guidance for relevant OES in their industry tailored to the specific challenges that the industry faces protecting network and information systems.
2. They review how the law has been applied by relevant OES in their industry to ensure it meets the standards and the spirit of the law.
3. They consult and co-operate with their counterparts in other industries and countries, law enforcement and the National Cyber Security Centre (NCSC) to maintain a robust and evenly applied set of NIS-D standards.
4. They enforce the NIS-D in their industry in line with the obligations and powers delegated to them by the law.

Competent Authorities guide OES on how they should be meeting the NIS-D requirements and determine whether or not OES are doing enough to comprehensively secure their network and information systems. This applies to all elements of the NIS-D including supply chain security risk management.

Working alongside Competent Authorities in the UK, the NCSC has been designated as the Technical Authority, the Single Point of Contact (SPOC) and the UK's Computer Security Incident Response Team (CSIRT) for the NIS-D.

As the Technical Authority for the NIS-D, they provide the bulk of the cyber expertise that goes into the guidance and support for OES and Competent Authorities.

In this role, the NCSC have produced and maintain the Cyber Assessment Framework (CAF) Collection which includes the 14 cyber security and resilience principles they have determined should underpin a good cyber security strategy for relevant OES, together with guidance on using and applying the principles, and the Cyber Assessment Framework (CAF) itself.

Those 14 principles are organised around four broad objectives; managing security risks (A), protecting against cyber attack (B), detecting cyber security events (C) and minimising the impact of cyber security incidents (D):

A.1 Governance - Putting in place the policies and processes which govern your organisation’s approach to the security of network and information systems.

A.2 Risk management - Identification, assessment and understanding of security risks. And the establishment of an overall organisational approach to risk management. A.3 Asset management - Determining and understanding all systems and/or services required to maintain or support essential functions.

A.4 Supply chain - Understanding and managing the security risks to networks and information systems which arise from dependencies on external suppliers.

B.1 Service protection policies and processes - Defining and communicating appropriate organisational policies and processes to secure systems and data that support the operation of essential functions.

B.2 Identity and access control - Understanding, documenting and controlling access to networks and information systems supporting essential functions.

B.3 Data security - Protecting stored or electronically transmitted data from actions that may cause an adverse impact on essential functions.

B.4 System security - Protecting critical network and information systems and technology from cyber attack.

B.5 Resilient networks and systems - Building resilience against cyber attack.

B.6 Staff awareness and training - Appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions.

C.1 Security monitoring - Monitoring to detect potential security problems and track the effectiveness of existing security measures.

C.2 Proactive security event discovery - Detecting anomalous events in relevant network and information systems.

D.1 Response and recovery planning - Putting suitable incident management and mitigation processes in place.

D.2 Lessons learned - Learning from incidents and implementing these lessons to improve the resilience of essential functions.

To learn in detail what you you must do to comply with the NIS Directive, contact your relevant Competent Authority who will work with you to help you understand the available guidance in the context of your specific OES.

The NCSC's Cyber Assessment Framework requires OES to have a deep understanding of their supply chain, including sub-contractors which considers factors such as the supplier’s partnerships, competitors and nationality. The Risk Ledger platform's innovative secure 'social network' approach to supply chain security risk management has been adopted by many OES who simply could not effectively meet the NIS-D standard using their previous security assurance methods.

If you would like to find out more about why over 30% of the UK Water market and many others use the Risk Ledger platform, get in contact with us to talk to one of our product specialists.