eBook - ePub

Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services

Name: Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services
Author: Alan Calder

Alan Calder

Buch teilen

64 Seiten
English
ePUB (handyfreundlich)
Über iOS und Android verfügbar

eBook - ePub

Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services

Alan Calder

Angaben zum Buch

Buchvorschau

Inhaltsverzeichnis

Quellenangaben

Über dieses Buch

This pocket guide is a primer for any OES (operators of essential services) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.

An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law.

This guide outlines the requirements for operators of essential services based on the Cyber Assessment Framework established by the National Cyber Security Centre (NCSC), including an explanation of the objectives, principles and indicators of good practice, and offers implementation guidance.

This guide will help you:

Understand how to comply with NIS Regulations, and avoid penalties associated with non-compliance
Unravel the key definitions, authorities and points of contact
Learn the benefits of a good Cyber Resilience plan
Interpret and ensure compliance with the Cyber Assessment Framework
Establish the NCSC's cyber security objectives, principles and indicators of good practice

Your essential guide to understanding the NIS Regulations – buy this book today and get the help and guidance you need.

Häufig gestellte Fragen

Wie kann ich mein Abo kündigen?

Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.

(Wie) Kann ich Bücher herunterladen?

Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.

Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?

Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.

Was ist Perlego?

Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.

Unterstützt Perlego Text-zu-Sprache?

Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.

Ist Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services als Online-PDF/ePub verfügbar?

Ja, du hast Zugang zu Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services von Alan Calder im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Informatik & Informatik Allgemein. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.

Information

Verlag

ITGP

Jahr

2018

ISBN

9781787780545

Thema

Informatik

Thema

Informatik Allgemein

CHAPTER 1: SCOPE AND APPLICABILITY

The NIS Directive is very clear about the definitions it uses for OES. However, its approach is to provide a set of parameters and to then require each Member State to identify the precise bounds of those parameters and to “identify the operators of essential services with an establishment on their territory” (Article 5(1)).

According to the NIS Directive, an OES is an organisation that provides services that are essential for “the maintenance of critical societal and/or economic activities” (Article 5(2)), which the NIS Regulations set out in section 8(1):

8(1) If a person provides an essential service of a kind referred to in paragraphs 1 to 9 of Schedule 2 and that service —

a) relies on network and information systems; and

b) satisfies a threshold requirement described for that kind of essential service,

that person is deemed to be designated as an OES for the subsector that is specified with respect to that essential service in that Schedule.

Schedule 2 of the Regulations sets out the key sectors within the UK based on the list defined in the NIS Directive, which identified the following essential sectors:

• Water (drinking water supply and distribution)

• Energy (electricity, oil and gas)

• Digital infrastructure (Internet exchange point (IXP) operators, domain name systems (DNS) and top-level domain (TLD) name registries)

• Health (healthcare providers)

• Transport (air, rail, water and road)

• Banking (credit institutions)

• Financial market infrastructures (trading venues and central counterparties)

Schedule 2 of the Regulations differs slightly from the set of sectors provided in the Directive on the basis of ‘lex specialis’ – there are existing special conditions in law for the banking and financial market infrastructure sectors. The UK government has determined that these sectors are already bound by equivalent provisions set by the Bank of England and the Financial Conduct Authority, and so they are exempt from the NIS Regulations. This is in line with Recital 9 of the Directive, which recognises that “Certain sectors of the economy are already regulated or may be regulated in the future by sector-specific Union legal acts that include rules related to the security of network and information systems”.

It is likely there will be specific cases that do not quite fit within either the Directive’s guidelines or the UK government’s thresholds – the EU is, after all, a huge entity, both geographically and demographically – but the Directive requires each Member State to formally identify its OES by 9 November 2018. The UK has taken a more ambitious approach, and so all OES were required to self-identify to their competent authority by 10 August 2018. Organisations that later meet the definition of an OES are required to self-identify within three months of doing so.

In the UK, the NIS Regulations specify in section 8(3) that competent authorities are also permitted to designate some ‘edge cases’ OES. This can only occur if three conditions are met:

1. The OES meets the sector, subsector and essential service requirements

2. The service provided relies on network and information systems

3. An incident has the potential to significantly disrupt the provision of the essential service

The government has set itself a deadline of 10 November 2018 to identify such edge cases.

Digital service providers

While this pocket guide focuses on OES, the Directive also imposes requirements on DSPs. It is entirely possible for an organisation to provide services both as an OES and as a DSP, while for other organisations it may be less clear whether they are one or the other.

To provide some measure of clarity, the Directive specifies that DSPs are organisations that provide digital services delivered “at a distance, by electronic means and at the individual request of a recipient of services”.¹¹ Annex III of the Directive categorises the types of services covered:

• Online search engines

• Online marketplaces

• Cloud computing services

It is also important to note that the Directive does not require Member States to identify DSPs – unlike OES, the Directive is intended to apply to DSPs across the Union without exception or variance. This is made explicit in Recital 57, which explains that “Member States should not identify digital service providers, as this Directive should apply to all digital service providers within its scope. […] This should enable digital service providers to be treated in a uniform way across the Union”.

¹¹ Directive (EU) 2015/1535, Article 1(b).

CHAPTER 2: AUTHORITIES AND BODIES

Alongside requiring Member States to set “security and notification requirements for operators of essential services and for digital service providers”, the NIS Directive also specifies that they must “designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems”.¹²

Each of these bodies will play an important role in how the Directive is applied in the Member States and across the EU. In the UK, the NCSC will operate as the CSIRT and the single point of contact, and as a technical authority on cyber security, all under the auspices of GCHQ.

Competent authorities

Competent authorities in the UK have been defined for each sector in the NIS Regulations. Schedule 1 of the Regulations lists the relevant government bodies that will be responsible for each sector. In the majority of cases, these are secretaries of state or ministers, who will delegate the authority to an agency under their control. The competent authority for DSPs is the Information Commissioner’s Office (ICO).

Competent authorities are the organisations or agencies that oversee compliance with laws and regulations implemented on the basis of the NIS Directive. There is no specified limit on the number of competent authorities a Member State can set and several countries other than the UK have assigned them on a sectoral basis.

The primary question that each Member State needs to answer is ‘What makes a competent authority competent?’ Recital 30 of the Directive offers guidance:

In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of operators of essential services and digital service providers under this Directive.

As does Recital 61:

Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information in order to assess the level of security of network and information systems.

Essentially, competent authorities should be able to both assess how organisations apply the principles and enforce them. As such, some authorities will doubtless be provided with additional funding or resources, and whole new agencies may be necessary for some sectors. The NIS Regulations provide specific powers for competent authorities in the UK to inspect OES and DSPs, as well as enforcement powers.

While competent authorities are regulators, the Directive makes it clear that cooperation, rather than dictatorial assertiveness, is key to making sure it is effective. As Recital 31 states:

As this Directive aims to improve the functioning of the internal market by creating trust and confidence, Member State bodies need to be able to cooperate effectively with economic actors and to be structured accordingly.

Fundamentally, the competent authorities should operate, where possible, to facilitate business rather than to repress it. ‘Cooperation’ is a common theme throughout the Directive, and leads into the requirements for cooperation across the EU.

CSIRTs

The Directive requires each Member State to establish a CSIRT. CSIRTs already exist in a number of countries, the most famous team almost certainly being the first – the CERT Division – which was established at Carnegie Mellon University in the US and helped to create US-CERT. In the UK, the CSIRT is the NCSC.

CSIRTs are specialist units charged with providing guidance and support in the event of a significant incident, and tracking incidents globally so that useful information and lessons can be disseminated. In relation to the NIS Directive, this means the CSIRT must be able to react appropriately to incidents that could have significant consequences for critical national ...