Thoughts on the European Union NIS Directive
If 2018 was the year when GDPR became a reality, could 2019 be the year of NIS? The General Data Protection Regulation came into force in May 2018 and, despite the warnings, many organisations were not fully prepared and have been fined accordingly. One of the heaviest punishments – a fine of $57 million – has just been imposed on Google by France’s data regulator. However, lurking in the background is what our CTO, Shadi Razak calls the “silent giant”: the European Directive on the security of Network and Information Systems (NIS), which is known under UK law as The Network and Information Systems Regulations 2018 (NIS Regulations).
NIS Regulations also came into force in May 2018 (following initial approval in April 2018). It’s important to point out that despite it now being a regulation in the UK, a lot of organisations are under the impression that it’s still a European Directive and compliance is not mandatory.
The Regulations focus on assuring the availability and protection of critical national infrastructure from cyber risks. Its terms apply to a wide range of organisations that provide, operate or make heavy use of the national critical infrastructure (examples include energy providers, transport operators, internet service providers, hospitals, financial institution, logistic companies and digital services providers). This guide from the UK National Cyber Security Centre provides a useful overview of the Regulation and guidelines.
However, as Shadi (right) explains: “Because it’s generally perceived as a directive, many organisations are not enacting it. Having it as a regulation means that a lot of the legacy systems currently in use will need to be reviewed, updated and protected. This will obviously come with a great and possibly unexpected cost.”
The NIS Regulations are important because, as we move rapidly towards a more seamless world, the boundaries between people and organisations are becoming increasingly blurred. Smart meters – for example – already know when we are home and how and when we use electricity and gas. Clearly this type of information can be highly critical for us as individuals, as well as for our national security.
“Big utility companies are aware of the Regulations/Directive,” says Shadi. “Yet many digital services providers and organisations that heavily utilise the national infrastructure are still far from implementing the Regulations’ guidelines. Part of why it’s difficult to do so is the emphases placed by the Regulations/Directive on the need to have visibility of your supply chain (vendors, contractors etc.). Many sectors haven’t yet figured out how to do so more effectively.”
Last year GDPR dominated the headlines and, probably as a consequence, there was very little encouragement or pressure to convince people that they had to take action regarding the NIS Regulations. This extended to security professionals who may have found it difficult to explain a business case that would justify a spend of several hundred thousands of pounds on security tools and procedures. In addition security was not presented as offering a competitive advantage. However, cyber security is becoming increasingly top of mind because of regulation and fines.
To compound the challenges, both GDPR and NIS are risk-based regulations that emphasise the need to develop and adopt risk-based operations and processes. Many organisations view them as another regulation with which they have to comply and provide evidence that ticks the boxes for the regulator. And that is where the danger lies, as being compliant doesn’t mean that you are risk resilient. In processes like these, organisations tend to over-complicate their current compliance and security procedures, adding additional layers of operation and process to an already quite complex system.
“One of the main risks of implementing and adhering to GDPR, NIS and other regulations is the fact that we end up ‘over-operationalising’ the process,” says Shadi. “We build additional frameworks, we establish new committees and so on, all of which result in additional layers to our current programmes. It becomes very complicated for people to manage, to navigate and to deliver. Instead it might be better to go back to ground zero and inject controls that assure the privacy and protection of current processes and create security champions who will promote these new practices across organisations.”
A relatively simple way to make NIS or GDPR become a reality is to plant the seed of risk awareness among employees. However, this may involve a change of emphasis away from privacy or security.
“We may move away from the stick and carrot approach and introduce the idea of the greater, public value,” suggests Shadi. “If you are careful at home, you will be the same at the office. And if you are like that at the office, you will take that home with you.
“But people are only human: they will often click on the wrong links. What’s missing at the moment is smart technology that will enable you to operationalise risk management without over-complicating things and support employees in managing risk by approval. Based on the context and observations the system collects, it will inform you of the best way to manage risk. With CyDesk we offer organisations a risk platform that automates and streamlines the risk operation for third parties and supply chain, improving user efficiency and effectiveness and enabling them to become more risk proactive and risk aware.
The “silent giant”
GDPR is already beginning to make a difference and, in less than a year, it has boosted the compliance agenda and its profile. However, it’s not the “silent giant”.
“I look at NIS as ‘the silent giant’,” says Shadi, “because a lot of organisations are unaware of how difficult it will be to implement and they have underestimated its importance.”
“Organisations who have already thought about it and launched a gradual plan will harvest the fruits of being risk resilient and compliant,” says Shadi. “While others might not be able to operate unless they adhere to the NIS Regulations.”
Find out more about the Directive via the link. Details about the UK Regulations are available via the link.
Please contact CyNation for advice or further information.