NIS Directive: get ready for compliance
Now transposed into French law, the NIS Directive will set new requirements for information systems security. But who is really concerned and what exactly do these obligations entail? Here is an overview of the questions companies have to answer to make sure they are compliant.
Voted in by the European Parliament in July 2016, the Network and Information Systems (NIS) Directive has created a set of obligations that aim to protect leading operators and service providers from cybersecurity risks and to standardise this legal framework across the Union. Its legal provisions were transposed into French law in early 2018. It is now the responsibility of all concerned stakeholders to acknowledge the new security requirements and to ensure compliance.
Who is concerned by the NIS Directive?
The 2013 French Military Planning Act (MPA) has already made cybersecurity a major requirement in ensuring the longevity of Essential Operators (EOs), namely the stakeholders whose services are vital for the nation’s sovereingty, such as the provision of water, energy or healthcare services, for instance.
But with the NIS Directive, EOs will no longer be the only concerned stakeholders. The law defines two new categories of stakeholders for which business continuity must be guaranteed: Operators of Essential Services (OES) and Digital Service Providers (DSP).
The Operators of Essential Services (OES) status is assigned to stakeholders whose services play a vital role for the nation, such as the provision of energy, water and healthcare services as well as transport, banking and financial market infrastructures. The exact list of companies appointed as OES must be fixed by decree before 9 November this year. After this date, the OES status will be assigned on an individual basis by the French Prime Minister.
The term Digital Services Provider (DSP) will include the B2B and B2C stakeholders underpinning the digital economy. More specifically it concerns market places, search engines and cloud computing services with at least 50 employees and that generate more than €10m in annual turnover. DSPs are not designated in the same way as OES: it is their responsibility to comply with legislation automatically.
What are the NIS Directive transposition requirements?
The transposition into law of the NIS Directive requires all OES and DSPs to know how to identify risks, protect themselves from said risks, ensure resilience and notify the relevant authorities of any incidents.
How about in practice? With regard to OES, the transposition act fixes the main cybersecurity domains affected by the law:
- Information systems (IS) and networks governance;
- Risk protection;
- Defence in the case of an attack;
- Business operations resilience.
For DSPs, the law states that they must guarantee a level of security that is adapted to existing risks and implement the measures needed to reduce them. These measures relate to the following domains:
- Systems and services security;
- Incident management;
- Business continuity management;
- Monitoring, audits, inspections;
- Compliance with international standards.
The security legislation that must be implemented by OES and DSPs are set out in the law of 14 September 2018.
Whether it relates to OES or DSPs, any incident “likely to have a major impact on the supply or continuity of services” must be declared to the competent authority (CA) in the country where the incident takes place. In France, this is the French National data security agency: ANSSI.
In cases of negligence, the law has provided for the following significant sanctions:
- Up to €100,000 in fines for the absence or non-compliance with security legislation;
- Up to €75,000 in fines for the non-declaration of incidents;
- Up to €125,000 in fines for any obstruction to an ANSSI inspection.
What does compliance involve?
The fact that neglecting to declare an incident is sanctioned demonstrates just how complex the matter is: detecting risks and seeking protecting from them is not enough. Companies also need to know how to qualify said incidents and how to establish the appropriate management policies. Compliance is far from a technical matter; it requires real governance.
How to prepare your organisation ? the methodology used should follow the following process:
It might seem like a heavy process but it is crucial. The first phase will allow you to define the scope by identifying the critical services affected. The assessment from the previous stage will be used to size up the project by defining the gaps in the existing regulation and the new requirements. These prerequisites are vital so that the compliance plan can be written in such a way that takes into account budget restrictions as well as the overall business plan.
How to get started ?
Compliance involves a real transformative approach, as much to the infrastructure as to the organisation as a whole. In the world of cybersecurity however, we can take advantage of the experience of those affected by the requirements set out in Military Planning Act (MPA) in 2013. From these complex projects we can draw on some keys to success.
First of all, we can use foresight to avoid adding “urgency” to the project’s list of already numerous restrictions. Next, we can mobilise all those involved as soon as the project goes live, remembering to involve senior management and all the skilled workers likely to be concerned. Lastly, we can ensure that the project is monitored on a regular basis in order to identify quickly any problems encountered – as well as the inevitable dependencies and any sticking points – by approaching the authorities, such as the ANSSI, the CIGREF (the French large corporations network) or the CLUSIF (French Club for the security of information systems), when necessary to work to resolve them.
Compliance is often perceived as a restrictive expense with a return on investment that is difficult to demonstrate. However, first-hand experience and feedback show that in the end it is an opportunity to get to the root of security problems and to transform IS security for good. Doing so in a context of rising threat levels means that it will become a real advantage for the company’s partners and finally guarantee business resilience.