eBook - ePub

Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services

Name: Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services
Author: Alan Calder

Alan Calder

Share book

64 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services

Alan Calder

Book details

Book preview

Table of contents

Citations

About This Book

This pocket guide is a primer for any OES (operators of essential services) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.

An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law.

This guide outlines the requirements for operators of essential services based on the Cyber Assessment Framework established by the National Cyber Security Centre (NCSC), including an explanation of the objectives, principles and indicators of good practice, and offers implementation guidance.

This guide will help you:

Understand how to comply with NIS Regulations, and avoid penalties associated with non-compliance
Unravel the key definitions, authorities and points of contact
Learn the benefits of a good Cyber Resilience plan
Interpret and ensure compliance with the Cyber Assessment Framework
Establish the NCSC's cyber security objectives, principles and indicators of good practice

Your essential guide to understanding the NIS Regulations – buy this book today and get the help and guidance you need.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services an online PDF/ePUB?

Yes, you can access Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services by Alan Calder in PDF and/or ePUB format, as well as other popular books in Informatik & Informatik Allgemein. We have over one million books available in our catalogue for you to explore.

Information

Publisher

ITGP

Year

2018

ISBN

9781787780545

Topic

Informatik

Subtopic

Informatik Allgemein

CHAPTER 1: SCOPE AND APPLICABILITY

The NIS Directive is very clear about the definitions it uses for OES. However, its approach is to provide a set of parameters and to then require each Member State to identify the precise bounds of those parameters and to “identify the operators of essential services with an establishment on their territory” (Article 5(1)).

According to the NIS Directive, an OES is an organisation that provides services that are essential for “the maintenance of critical societal and/or economic activities” (Article 5(2)), which the NIS Regulations set out in section 8(1):

8(1) If a person provides an essential service of a kind referred to in paragraphs 1 to 9 of Schedule 2 and that service —

a) relies on network and information systems; and

b) satisfies a threshold requirement described for that kind of essential service,

that person is deemed to be designated as an OES for the subsector that is specified with respect to that essential service in that Schedule.

Schedule 2 of the Regulations sets out the key sectors within the UK based on the list defined in the NIS Directive, which identified the following essential sectors:

• Water (drinking water supply and distribution)

• Energy (electricity, oil and gas)

• Digital infrastructure (Internet exchange point (IXP) operators, domain name systems (DNS) and top-level domain (TLD) name registries)

• Health (healthcare providers)

• Transport (air, rail, water and road)

• Banking (credit institutions)

• Financial market infrastructures (trading venues and central counterparties)

Schedule 2 of the Regulations differs slightly from the set of sectors provided in the Directive on the basis of ‘lex specialis’ – there are existing special conditions in law for the banking and financial market infrastructure sectors. The UK government has determined that these sectors are already bound by equivalent provisions set by the Bank of England and the Financial Conduct Authority, and so they are exempt from the NIS Regulations. This is in line with Recital 9 of the Directive, which recognises that “Certain sectors of the economy are already regulated or may be regulated in the future by sector-specific Union legal acts that include rules related to the security of network and information systems”.

It is likely there will be specific cases that do not quite fit within either the Directive’s guidelines or the UK government’s thresholds – the EU is, after all, a huge entity, both geographically and demographically – but the Directive requires each Member State to formally identify its OES by 9 November 2018. The UK has taken a more ambitious approach, and so all OES were required to self-identify to their competent authority by 10 August 2018. Organisations that later meet the definition of an OES are required to self-identify within three months of doing so.

In the UK, the NIS Regulations specify in section 8(3) that competent authorities are also permitted to designate some ‘edge cases’ OES. This can only occur if three conditions are met:

1. The OES meets the sector, subsector and essential service requirements

2. The service provided relies on network and information systems

3. An incident has the potential to significantly disrupt the provision of the essential service

The government has set itself a deadline of 10 November 2018 to identify such edge cases.

Digital service providers

While this pocket guide focuses on OES, the Directive also imposes requirements on DSPs. It is entirely possible for an organisation to provide services both as an OES and as a DSP, while for other organisations it may be less clear whether they are one or the other.

To provide some measure of clarity, the Directive specifies that DSPs are organisations that provide digital services delivered “at a distance, by electronic means and at the individual request of a recipient of services”.¹¹ Annex III of the Directive categorises the types of services covered:

• Online search engines

• Online marketplaces

• Cloud computing services

It is also important to note that the Directive does not require Member States to identify DSPs – unlike OES, the Directive is intended to apply to DSPs across the Union without exception or variance. This is made explicit in Recital 57, which explains that “Member States should not identify digital service providers, as this Directive should apply to all digital service providers within its scope. […] This should enable digital service providers to be treated in a uniform way across the Union”.

¹¹ Directive (EU) 2015/1535, Article 1(b).

CHAPTER 2: AUTHORITIES AND BODIES

Alongside requiring Member States to set “security and notification requirements for operators of essential services and for digital service providers”, the NIS Directive also specifies that they must “designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems”.¹²

Each of these bodies will play an important role in how the Directive is applied in the Member States and across the EU. In the UK, the NCSC will operate as the CSIRT and the single point of contact, and as a technical authority on cyber security, all under the auspices of GCHQ.

Competent authorities

Competent authorities in the UK have been defined for each sector in the NIS Regulations. Schedule 1 of the Regulations lists the relevant government bodies that will be responsible for each sector. In the majority of cases, these are secretaries of state or ministers, who will delegate the authority to an agency under their control. The competent authority for DSPs is the Information Commissioner’s Office (ICO).

Competent authorities are the organisations or agencies that oversee compliance with laws and regulations implemented on the basis of the NIS Directive. There is no specified limit on the number of competent authorities a Member State can set and several countries other than the UK have assigned them on a sectoral basis.

The primary question that each Member State needs to answer is ‘What makes a competent authority competent?’ Recital 30 of the Directive offers guidance:

In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of operators of essential services and digital service providers under this Directive.

As does Recital 61:

Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information in order to assess the level of security of network and information systems.

Essentially, competent authorities should be able to both assess how organisations apply the principles and enforce them. As such, some authorities will doubtless be provided with additional funding or resources, and whole new agencies may be necessary for some sectors. The NIS Regulations provide specific powers for competent authorities in the UK to inspect OES and DSPs, as well as enforcement powers.

While competent authorities are regulators, the Directive makes it clear that cooperation, rather than dictatorial assertiveness, is key to making sure it is effective. As Recital 31 states:

As this Directive aims to improve the functioning of the internal market by creating trust and confidence, Member State bodies need to be able to cooperate effectively with economic actors and to be structured accordingly.

Fundamentally, the competent authorities should operate, where possible, to facilitate business rather than to repress it. ‘Cooperation’ is a common theme throughout the Directive, and leads into the requirements for cooperation across the EU.

CSIRTs

The Directive requires each Member State to establish a CSIRT. CSIRTs already exist in a number of countries, the most famous team almost certainly being the first – the CERT Division – which was established at Carnegie Mellon University in the US and helped to create US-CERT. In the UK, the CSIRT is the NCSC.

CSIRTs are specialist units charged with providing guidance and support in the event of a significant incident, and tracking incidents globally so that useful information and lessons can be disseminated. In relation to the NIS Directive, this means the CSIRT must be able to react appropriately to incidents that could have significant consequences for critical national ...