NIS vs. GDPR – not siblings but cousins #NISR #GDPR

News and information from the Advent IM team.

Thank you to our resident NCIS expert, Great Wall of China charity-walking Director, Julia McCarron, for this timely reminder that GDPR is not the only regulation on the horizon and whilst it might not impact everyone, we need to be aware of it.

As the clock is ticking towards the need to comply with the EU General Data Protection Act (GDPR) by May 2018, so the new Data Protection Bill has entered parliament in its final stages of adoption and law making. The Bill essentially takes what was good from the Data Protection Act 1998, updates it to cater for today’s modern cyber and digital world, gives the people more power over their data and its use, and infuses it with European personal data protection requirements. Brexit or no Brexit GDPR will affect us all regardless, and the Bill is designed to give us basically a one-stop-shop where the EU is concerned.

So, I have no doubt that your daily inbox is overflowing with emails saying, “Come to our GDPR event”, “Time is running out for GDPR compliance”, “You need to buy our product to be GDPR compliant” etc… Whilst I would question the validity of any emails stating the latter, GDPR is an important piece of regulation that no business can afford to ignore. Time is running out … just 6 months to go. But it cannot be seen in isolation. It has to be part of a wider data protection review – you cannot comply with GDPR if you are not following data protection legislation and best practice. But you all know this … or you do now. And if you don’t know what to do about then see me after school J

But in amongst all of this there seems to be another EU directive that is operating under the radar.

The Networks and Information Systems (NIS) Directive’s inception is 4 years old. For those of you who are regular viewers to my blogs you will no doubt picture my enthusiasm when I first read about the Directive – NIS also standing for the US Naval Investigative Service, the pre-cursor department to my beloved NCIS. I had visions of Leroy Jethro Gibbs locking heads with heads of EU member states. But sadly that was where the connection ended. #GibbsRule51 – Sometimes you’re wrong.

The NIS Directive aims to improve the EU’s preparedness for a cyber attack. Member States recognised back in 2013 that the growing threat of these attacks could potentially effect not just one organisation, one county, one country but an entire union. This has already come to pass with the recent Wanna Cry ransomware attacks in May affecting not only UK NHS organisations but many others worldwide in a simultaneous attack. The ransomware attack crippled certain parts of the NHS and I know family affected directly by delays in obtaining important clinical test results as a direct result of Wanna Cry.

So, having looked into their crystal ball, the EU could see what was coming and put forward a proposal that became a directive in August 2016, giving Member States 21 months to embed the Directive into their respective national laws. So what was this proposal all about, what is the Directive’s aim?

Network and information systems and the essential services they deliver and support are critical in today’s society. Whether it’s the provision of health services, emergency services, transportation services or access to important utilities like water, gas, telecoms and electricity, even financial systems, they all rely on some form of networked digital infrastructure. And it’s these systems that we need to secure in order to maintain reliability, integrity and availability and keep the world going.

It is the Directive’s goal to raise levels of the overall security and resilience of network and information systems across the EU. To achieve this it provides the legal footing to:

  • Ensure that Member States have in place a national framework (eg a National Cyber Security Strategy), teams (eg Computer Security Incident Response Team (CSIRT)), and a national NIS competent authority so that they are equipped to manage a cyber security incident.
  • Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States will also need to participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents and as well as sharing information about risks.
  • Ensure that businesses within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. Engagement with industry is therefore crucial in the implementation of the directive.

The UK plans to implement the NIS Directive. A DCMS public consultation concluded in September 2017 and responses are being analysed prior to a formal government response later in the year. But as with GDPR, time is running out as the deadline for member states transposing the Directive into domestic legislation is 9 May 2018. May is the month it seems ….

So who will the NIS Directive affect? Well, companies and organisations identified as either operators of essential services (OES) or Competent Authorities (CAs) are primarily involved. Certain sectors will be exempt from some aspects of the Directive where there are provisions within their existing regulations which are, or will be, at least equivalent to those the NIS Directive specifies (eg finance or civil nuclear sectors). Technical guidance is expected to be produced for each sector to make requirements clear.

The Directive operates 4 top level objectives within Article 14. These are:

  • Objective A. Appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services eg. Governance structures, risk management, asset management, supply chain management.
  • Objective B. Proportionate security measures in place to protect essential services and systems from cyber attack eg. Service protection policies and processes, identity and access control, data security, system security, resilient networks and systems, staff awareness and training.
  • Objective C. Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services eg. Security monitoring, anomaly detection
  • Objective D. Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary eg. Response and recovery planning, improvements

Hmm hello, haven’t we seen something very similar to this before somewhere?? Might that be the standard by which I live and breathe every day … my trusted friend ISO27001?? #GibbsRule39 – There’s no such thing as a coincidence!

So for those organisations that meet the criteria of an OES there is a pretty obvious direction to take. One certification. Many compliances. Fewer penalties. That’s not great English but you get the gist.

As to NIS’s relationship with GDPR, aside from the May deadline they do seem to be cousins. In the consultation paper the government has indicated that they will probably follow the penalty regime of the GDPR by proposing two bands of penalties, with fines of up to €20m or 4% of global annual turnover (whichever is greater) for the more serious offence of failing to put in place effective cyber security measures. However, NIS is about networks and systems security not just securing personal data. There are overlaps for sure but complying with one won’t automatically make you compliant with the other. So the familial relationship ends there.

So the moral of this tale is that, whilst flying under the radar in the most part, NIS cannot be ignored by suppliers of essential services and those providing digital services.

If you think you could be an OES, the criteria has been included within the Directive that has just closed for consultation. For digital service providers, the UK government has confirmed that the NIS Directive applies, in what it classes as a ‘light touch’ approach, to: online marketplaces, online search engines, and cloud computing services.

So what have we learned from today’s lesson:

  • NIS is about securing critical networks and services across the EU to prevent large scale, crippling cyber attacks.
  • NIS is a Directive that certain UK businesses will need to comply with by May 2018.
  • GDPR is a data protection regulation that all UK businesses will need to comply with by May 2018 and will form a large part of the Data Protection Bill.
  • Complying with ISO27001 will cover the majority of compliance requirements of both NIS and GDPR. However, complying with one in isolation will not ensure total compliance with either or both of the others.
  • ISO27001 best practice guidance is there for a reason – follow it and make your life easier. #GibbsRule5 – Don’t waste good.

More information on the 4 objectives can be found here for those of you wanting to see a bit more detail: https://www.ncsc.gov.uk/information/networks-and-information-systems-nis-directive-security-objectives-and-principles

When the Directive is implemented, within the UK the National Cyber Security Centre (NCSC) is expected to play a key role in supporting that implementation, providing security advice and guidance. The government’s nominated authority to oversee implementation and compliance with the Directive, as with GDPR, is the Information Commissioner’s Office (ICO).  So if you don’t do so already, sign up for their newsletters to keep abreast of guidance and best practice as well as any other developments that may benefit your organisation and the adoption or implementation process. Naturally, you should sign up for the Advent IM newsletter too and benefit from practical content across a range of Data Protection, Information and Cyber Security topics…. Keep ‘em peeled.

 

Share this Post