How the EU’s NIS affects cloud service providers3 min read


The EU’s NIS – or Network Information Security – regulations are aimed at ensuring organisations that provide critical services implement sufficient cyber security measures and notify significant breaches or incidents to the relevant authority. Consequently, the UK implemented the NIS Directive in 2018, requiring organisations within the UK that are responsible for critical services to comply with these cyber security standards and referring them to register with the ICO.

The scope of the NIS Directive is generally thought to apply to power stations, health care, water supply and other such Critical National Infrastructure. Within the Directive, these organisations are termed “operators of essential services,” or an OES. However, this remit has naturally been widened as digital transformation continues to streamline and optimise organisations across industries – providers of these services are known as “digital service providers.” In short, it is imperative that cloud service providers, who provide data storage and other functional capabilities to infrastructure organisations, ensure that they maintain the high-level cyber security posture required by NIS and register with the ICO as an essential service.

Of course, cloud service providers should already have strong cyber security processes – after all, if customers can’t depend on the protection of their data and systems, they are likely to choose a competing provider. Similarly, the EU’s GDPR will likely seem to cover the requirements of the NIS Directive. However, these regulations were written to protect two different segments within information security. GDPR ensures the protection of personal data, while NIS focuses on ensuring that critical organisations have proper security measures in place for their systems.

To keep in line with the NIS Directive, here are some points cloud service providers should be considering:

  • The NIS Directive requires organisations to maintain a reasonable level of security according to their risks. Determining this level of security involves organisations regularly monitoring and assessing their risks, using tools like CyDesk. Checking your cybersecurity posture regularly is key, as new developments can necessitate various mitigation tactics.
  • Ensuring the security of your organisation’s systems and facilities has a broad remit, stretching from cyber concerns to physical administration. There needs to be proper systems access controls in place, safeguarding both the digital and physical health of your organisation’s infrastructure and systems.
  • Organisations should have relevant and tailored information security policies in place across departments, including risk analysis, HR, security of operations, security architecture, secure data, system lifecycle management and encryption.
  • Finally, if your organisation does suffer a security incident, there must be a process to manage the aftereffects. This process should include basic detection procedures, reporting, assessment and response, including a business continuity plan. Serious incidents or breaches must be reported to the ICO.

The NIS Directive aims to establish dependable policies within organisations that are deemed critical, including cloud service providers. Without these considerations, the chance of a hack or physical attack are high, and the resulting impact could be devastating.

This is the second in a series of blogs about the NIS Directive; you can read our first blog here. For more information on NIS, check out the resources from the ICO.

United Kingdom

+44 020 3190 5000

PopHub Leicester Square
41 Whitcomb Street
London WC2H 7DT

The Netherlands

Oude Udenseweg 29
5405 PD Uden
The Netherlands

Newsletter Signup

%d bloggers like this: