An Overview of the NIS Directive

Contents

What is the NIS Directive?
Who are the Operators of Essential Services (OES)?
Who does the NIS Directive apply to?
Incidents the NIS Directive is intended to prevent
Penalties for failing to comply with the NIS Directive
What's the difference between NIS and GDPR?
Best practices for NIS Directive compliance
Secure remote OT and access governance in the spotlight
More OT regulations: ISA/IEC 62443 and NIST 800-82
Successful NIS compliance with SSH

 

Businesses with operational tech (OT) environments, especially those within the EU, must understand and comply with the NIS Directive. Here’s a comprehensive overview — and an outline of how organizations can ensure compliance.

 

When it comes to operational technology (OT), compliance is critical. Many regulations, rules, and directives have recently been formed — especially in the EU — in order to promote the secure sharing, storage, and management of sensitive data.

The Directive on Security of Network and Information System, known as the NIS Directive, was the first cybersecurity legislation passed by the EU in 2016. The NIS Directive aims to widely establish shared NIS security standards and practices across the EU. 

The NIS Directive instructs member states to implement laws that follow the “spirit” of the Directive. For this reason, it is of the utmost importance that organizations fully comprehend the NIS Directive, its objectives, and how to meet all compliance requirements that apply to them.

This article will discuss the purpose of the NIS Directive, to whom it applies, and how organizations can execute effective and enduring compliance. We will also cover the difference between the NIS and the GDPR, a well-known cybersecurity regulation for EU data, and address the unique significance of the NIS Directive.

What is the NIS Directive?

The NIS Directive establishes specific security technical practices, measures, and requirements for companies in EU member states. These rules apply to the operators of essential enterprise services (OES) and digital service providers (DSPs) of EU data. The NIS Directive classifies a digital service as “any service normally provided […] by electronic means and at the individual request of a recipient.”

The aim of the NIS Directive is to promote more robust, reliable cybersecurity between European nations. In the not-so-distant past, EU member states handled cybersecurity challenges at the national level, which created weak links between international digital networks. By supporting secure cross-border communications, the NIS Directive encourages safe and seamless proprietary collaboration between enterprises across the EU.

In addition to guiding individuals towards better cybersecurity practices, the NIS Directive encourages  “effective, proportionate, and dissuasive” penalties for non-compliance. However, each member state must decide and enforce NIS penalties within its own nation. 

EU member states must also possess a national framework that meets the Directive and monitors cybersecurity incidents. However, DSPs who must adhere to the NIS Directive require less rigid frameworks than operators of essential services.

Who are the Operators of Essential Services (OES)?

The NIS Directive does not directly define which organizations are to be regarded as OES. However, it includes a set of criteria for member states to identify which enterprises fall under the purview of the directive as OES.

According to Article 5(2), the criteria for the identification of the operators of essential services are as follows:

  • The entity provides a service that is essential for the maintenance of critical societal and/or economic activities.
  • The provision of that service depends on network and information systems.
  • An incident would have significant disruptive effects on the provision of that service.

Furthermore, Article 4(4) of the NIS Directive states that an OES is a “public or private entity of a type referred to in Annex II” meeting the criteria above. Examples include: 

  • Energy
  • Electricity, oil, and gas
  • Transport: air, rail water, and road
  • Drinking water supply and distribution

When you add the manufacturing industry into the mix, you can see that operational technology is strongly covered by the NIS Directive.

Who does the NIS Directive apply to?

The NIS Directive applies to all companies within the 27 EU member states, as well as any enterprise outside of the EU that leverages services available to individuals within the European Union. 

Non-EU companies that must comply with the NIS Directive must assign an EU-based representative who can act on their behalf to ensure appropriate implementation of the Directive.

Incidents the NIS Directive is intended to prevent

The NIS Directive is intended to prevent many different types of cybersecurity vulnerabilities and related attacks, including but not limited to:

  • Ransomware. When ransomware finds its way into an enterprise system, it can quickly jump from network to network. Take the WannaCry virus, which exposed a specific vulnerability in Microsoft Windows that spread through the internet. This ransomware afflicted more than 200,000 computers across 150 countries, ultimately costing up to £6 billion globally. 

  • Cyberattack side effects. When malicious software weaves its way into international enterprise networks, issues unrelated to cybersecurity arise. For example, infrastructure crashes and transport paralysis can lead to delayed operations and roadblocked or compromised communication. These problems can spiral into even more drastic consequences, all of which occur alongside the damage associated with the data compromise.

  • New-wave cyberattacks. Hackers are getting smarter every year, and the NIS Directive accounts for this by ensuring NIS practices are designed to prevent new and emerging forms of cyberattack. For instance, the infamous NotPetya malware used a non-authentic decryption-for-payment approach that resulted in a complete lack of decryption keys. NotPetya attacked the websites of Ukrainian organizations, including banks, newspapers, ministries, and electricity firms. Similar infections were reported across Germany, France, Italy, the United States, and other countries. This is just one example of the new, malicious cryptography emerging today. NotPetya also caused a power surge that left 75,000 people stranded and cost roughly £100 million.

Penalties for failing to comply with the NIS Directive

Instead of enforcing specific penalties, the NIS Directive gives individual EU member states the right to determine distinct non-compliance penalties. However, NIS clearly explains that these penalties should be “effective, proportionate, and dissuasive” — that is, they be appropriate to the nature of the non-compliance and prevent repeat charges.

NIS fines can reach up to £17 million. In addition to imposing financial penalties, the NIS Directive can:

  • Conduct assessment inspections of NIS obligations
  • Demand information notices that provide proof of NIS compliance
  • Impart enforcement notices telling organizations how to fix identified NIS failures

Organizations need to know that they can be penalized more than once under the NIS Directive. That means businesses can be fined and punished for every separate NIS violation under each aspect of the legislation.

What’s the difference between NIS and GDPR?

The GDPR (General Data Protection Regulation) is a document that seeks to promote the privacy, security, and management of personal data in the EU. GDPR defines personal data as any information that could directly or indirectly be linked back to a person and used to identify them. Personal data includes names, email addresses, locations, and web cookies.

Like the NIS Directive, GDPR laws apply to any organization that provides services to and collects data associated with residents of the European Union — even if the organization is outside of the EU itself. But the key difference between GDPR and the NIS Directive is what they pertain to. The NIS Directive aims to secure network and information systems, as well as their digital data; it covers personal data, enterprise data, and other critical information. Meanwhile, GDPR only applies to information that malicious actors could use to identify individuals.

Other differences between GDPR and the NIS Directive include the following:

  1. The NIS Directive does not apply to operators of essential services (OES) or relevant digital service providers (RDSPs) — instead, these enterprises must follow GDPR security requirements.

  2. By default, “digital data” does not include manual data — meaning the NIS Directive does not cover manual data. GDPR, on the other hand, covers data forms that are involved in filing systems.

  3. As Dennis ’t Jong, specialist inspector at the Dutch Telecom Agency, put it: “GDPR is aimed at protecting the privacy of citizens, and the NIS at protecting the cyber resilience of organizations.”

Best practices for NIS Directive compliance

In order to follow best practices for the NIS Directive, organizations should adhere to the four objectives and 14 principles of NIS compliance laid out by the Cyber Assessment Framework (CAF). The CAF was released in 2018 by the UK’s National Cyber Security Center (NCSC) and highlights ways for organizations to ensure NIS compliance.

The four objectives, and their corresponding principles, of the CAF are as follows:

Managing Security Risk

The four principles within this objective help organizations employ the appropriate policies, structures, and processes for systematically assessing and understanding NIS security risks.

  1. Governance: Putting processes and policies in place for properly conducted, controlled NIS security.
  2. Risk management: Identifying, assessing, and understanding present security risks, and establishing a steady risk management approach within an organization.
  3. Asset management: Determining all systems and services that support essential functions.
  4. Supply chain: Recognizing NIS security risks resulting from external suppliers.

 

Protecting Against Cyberattack

The six principles within this objective help organizations leverage suitable security measures around critical structures for protection against cyberattacks.

  1. Service protection and policies: Denoting appropriate processes and procedures for securing essential systems and data.

  2. Identity and access control: Comprehending, documenting, and controlling access to NIS properties that support essential functions.

  3. Data security: Preventing harm from coming to electronically transmitted and stored data, which could lead to adverse impacts. 

  4. System security: Protecting critical NIS and other technology from cyberattacks.

  5. Resilient networks and systems: Fostering resilience against cyberattacks.

  6. Staff awareness and training: Ensuring training helps staff make positive contributions to NIS cybersecurity. 

 

Detecting Cybersecurity Events

The two principles within this objective help organizations form security defenses that can properly, consistently, and rapidly detect cybersecurity incidents without negatively impacting essential operations. 

  1. Security monitoring: Detecting potential cybersecurity issues and tracking the effectiveness of existing measures.

  2. Proactive security event discovery: Spotting anomalous, irregular, and unexplained NIS events.

 

Minimizing the Impact of Cyber Security Incidents

The two principles within this objective help organizations shrink the extended impact of a cybersecurity event and restore critical functions when necessary.

  1. Response and recovery planning: Ensuring incident management and mitigation best practices are in place. 

  2. Lessons learned: Taking past incidents and implementing lessons learned from these experiences, for improved resilience of essential NIS functions.

Secure remote OT and access governance in the spotlight

Reading through all the above requirements is a hefty task, and that’s without attempting to implement all the required security measures in critical infrastructures.

But there are some fundamentals every serious company in the industrial automation business should take action on.

Article 4(7) describes an incident as “any event having an actual adverse effect on the security of network and information systems.” The term ‘security of network and information systems’ is then described under Article 4(2) as “the ability of a network or an information system to resist, at a given level of confidence, any actions that compromise the availability, authenticity, integrity, and confidentiality of stored or processed data or the related services offered by, or accessible via, those network and information systems.”

The above is an important point. It places special emphasis on how secure remote OT access to data and systems is being managed and how well the credentials that grant such access are being controlled.

We believe all OT businesses should be able to answer the following five questions.

  • What are my critical data and systems?

  • Where are my critical data and systems?

  • Who can access them?

  • Where are my keys and passwords?

  • Is my OT security future-proof?

If a company can give a sensible answer to all of the five questions above, their OT cybersecurity foundation is already in really good shape.  

More OT regulations: ISA/IEC 62443 and NIST 800-82

ISA/IEC 62443 is the global standard for the security of Industrial Control System (ICS) networks that help organizations maintain a high-security posture and mitigate the risk of ICS networks being victim to cyber-attacks.

NIST 800-82, Guide to Industrial Control Systems (ICS) Security, provides guidelines on how to protect ICS, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).

ISA/IEC 62443, NIST 800-82, and NIS 2.0 all put special emphasis on OT security, system and data access, and credentials management.

Successful NIS compliance with SSH

Meeting and maintaining compliance with the NIS Directive can challenge many organizations. With our PrivX OT Edition solution, companies can apply the long-standing expertise of SSH for successful NIS implementation, preservation, and lifecycle management.

PrivX OT Edition leverages built-in features that tick all the boxes for complete, confident OT secure remote access lifecycle management including:

  • Secure remote access and sharing, plus secure files and uploads

  • Lifecycle management of access and credentials

  • A straightforward and uniform platform for excellent user experience

  • Automated linking of identities to roles with advanced workflow approval for jobs

With these capabilities and more, PrivX helps OT companies meet NIS compliance and overcome a wide range of OT challenges. Learn more about PrivX OT Edition!