<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Regulation & Compliance

EU NIS Directive: The European Union’s First Cybersecurity-focused Legislation

Alex Campanelli | June 22, 2018

Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high common level of security of network and information systems within EU.” Network and information systems, and the essential services they support, play a vital role in society; their reliability and security are essential to everyday activities.

The EU NIS Directive has three main components: (1) improving cybersecurity preparedness of each Member state; (2) increasing cross-border collaboration among EU Member states; and (3) improving risk management and incident reporting obligations for “operators of essential services and digital service providers” by requiring National Supervision of Critical Sectors in each Member state. The impact of the Directive is two-fold and has implications for both the EU Member State Computer Emergency Response Teams (CERTs) as well as the Operators of Essential Services (OES).

With the focus of the Directive on increasing National Security, every EU Member state was required to transpose the Directive into national law by May 9, 2018. Each Member state then has until May 2019 (one year) to provide cybersecurity assessments of their country’s “operators of essential services.

The Directive is wide-reaching, and includes “operators of essential services” (OES) in the following sectors: energy, transport, banking, financial market infrastructures, healthcare, and digital infrastructure.

The Directive also includes important digital businesses, referred to as "digital service providers" (DSPs), who will also be required to take appropriate security measures and to notify “substantial incidents” to the competent authority. This category includes online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online), cloud computing services, and search engines.

For EU Member State CERTs and other European regulatory agencies, BitSight provides the ability to rapidly assess the cybersecurity of third parties (i.e. operators of essential services) and enables EU Member states to continuously monitor (i.e. “supervise”) the cybersecurity of those third parties. EU Member state CERTs can leverage BitSight to continuously monitor and assess the cybersecurity of the organizations deemed “operators of essential services” within their country through both Security Ratings and Sovereign Security Ratings.

For OES, the Directive requires them “to take appropriate security measures and to notify serious incidents to the relevant national authority.” Security measures include: (1) preventing risk, (2) ensuring security of network and information systems; and (3) handling incidents in a way that prevents and minimizes the impact on IT systems. BitSight provides organizations the ability to continuously monitor their own security posture, be alerted to potential exploitations, and to leverage forensics data to quickly respond to security incidents.

As May 2019 approaches, institutions will need to be prepared to meet the Directive’s guidelines. Not only will they have to comply with these regulations, but they will also need ways of monitoring and assessing both their own security posture and that of their OES. BitSight Security Ratings and Sovereign Security Ratings are the optimal solutions for continuous first and third party cyber risk management.

Want to learn more about cybersecurity regulations and compliance?

READ MORE

Suggested Posts

EU NIS Directive: The European Union’s First Cybersecurity-focused Legislation

Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high...

READ MORE »

NIST Cybersecurity Framework Now Includes Supply Chain Risk Management Category

Recently, the National Institute of Standards & Technology (NIST), released an updated Version 1.1 of the NIST Cybersecurity Framework that now includes a new category on “Supply Chain Risk Management.”

READ MORE »

How Security Ratings Can Help Organizations Adhere to Hong Kong’s Cybersecurity Guidelines

The implementation of many strict cybersecurity regulations and requirements (including GDPR, NYDFS, and more) continues to increase on a global scale. 2018 has also brought about the continuation of strict cybersecurity regulations in the...

READ MORE »

Subscribe to get security news and updates in your inbox.