eBook - ePub
Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services
Alan Calder
This is a test
Compartir libro
- 64 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services
Alan Calder
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
This pocket guide is a primer for any OES (operators of essential services) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.
An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law.
This guide outlines the requirements for operators of essential services based on the Cyber Assessment Framework established by the National Cyber Security Centre (NCSC), including an explanation of the objectives, principles and indicators of good practice, and offers implementation guidance.
This guide will help you:
- Understand how to comply with NIS Regulations, and avoid penalties associated with non-compliance
- Unravel the key definitions, authorities and points of contact
- Learn the benefits of a good Cyber Resilience plan
- Interpret and ensure compliance with the Cyber Assessment Framework
- Establish the NCSC's cyber security objectives, principles and indicators of good practice
Your essential guide to understanding the NIS Regulations – buy this book today and get the help and guidance you need.
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services un PDF/ePUB en línea?
Sí, puedes acceder a Network and Information Systems (NIS) Regulations - A pocket guide for operators of essential services de Alan Calder en formato PDF o ePUB, así como a otros libros populares de Informatik y Informatik Allgemein. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Categoría
InformatikCategoría
Informatik AllgemeinCHAPTER 1: SCOPE AND APPLICABILITY
The NIS Directive is very clear about the definitions it uses for OES. However, its approach is to provide a set of parameters and to then require each Member State to identify the precise bounds of those parameters and to “identify the operators of essential services with an establishment on their territory” (Article 5(1)).
According to the NIS Directive, an OES is an organisation that provides services that are essential for “the maintenance of critical societal and/or economic activities” (Article 5(2)), which the NIS Regulations set out in section 8(1):
8(1) If a person provides an essential service of a kind referred to in paragraphs 1 to 9 of Schedule 2 and that service —
a) relies on network and information systems; and
b) satisfies a threshold requirement described for that kind of essential service,
that person is deemed to be designated as an OES for the subsector that is specified with respect to that essential service in that Schedule.
Schedule 2 of the Regulations sets out the key sectors within the UK based on the list defined in the NIS Directive, which identified the following essential sectors:
• Water (drinking water supply and distribution)
• Energy (electricity, oil and gas)
• Digital infrastructure (Internet exchange point (IXP) operators, domain name systems (DNS) and top-level domain (TLD) name registries)
• Health (healthcare providers)
• Transport (air, rail, water and road)
• Banking (credit institutions)
• Financial market infrastructures (trading venues and central counterparties)
Schedule 2 of the Regulations differs slightly from the set of sectors provided in the Directive on the basis of ‘lex specialis’ – there are existing special conditions in law for the banking and financial market infrastructure sectors. The UK government has determined that these sectors are already bound by equivalent provisions set by the Bank of England and the Financial Conduct Authority, and so they are exempt from the NIS Regulations. This is in line with Recital 9 of the Directive, which recognises that “Certain sectors of the economy are already regulated or may be regulated in the future by sector-specific Union legal acts that include rules related to the security of network and information systems”.
It is likely there will be specific cases that do not quite fit within either the Directive’s guidelines or the UK government’s thresholds – the EU is, after all, a huge entity, both geographically and demographically – but the Directive requires each Member State to formally identify its OES by 9 November 2018. The UK has taken a more ambitious approach, and so all OES were required to self-identify to their competent authority by 10 August 2018. Organisations that later meet the definition of an OES are required to self-identify within three months of doing so.
In the UK, the NIS Regulations specify in section 8(3) that competent authorities are also permitted to designate some ‘edge cases’ OES. This can only occur if three conditions are met:
1. The OES meets the sector, subsector and essential service requirements
2. The service provided relies on network and information systems
3. An incident has the potential to significantly disrupt the provision of the essential service
The government has set itself a deadline of 10 November 2018 to identify such edge cases.
Digital service providers
While this pocket guide focuses on OES, the Directive also imposes requirements on DSPs. It is entirely possible for an organisation to provide services both as an OES and as a DSP, while for other organisations it may be less clear whether they are one or the other.
To provide some measure of clarity, the Directive specifies that DSPs are organisations that provide digital services delivered “at a distance, by electronic means and at the individual request of a recipient of services”.11 Annex III of the Directive categorises the types of services covered:
• Online search engines
• Online marketplaces
• Cloud computing services
It is also important to note that the Directive does not require Member States to identify DSPs – unlike OES, the Directive is intended to apply to DSPs across the Union without exception or variance. This is made explicit in Recital 57, which explains that “Member States should not identify digital service providers, as this Directive should apply to all digital service providers within its scope. […] This should enable digital service providers to be treated in a uniform way across the Union”.
11 Directive (EU) 2015/1535, Article 1(b).
CHAPTER 2: AUTHORITIES AND BODIES
Alongside requiring Member States to set “security and notification requirements for operators of essential services and for digital service providers”, the NIS Directive also specifies that they must “designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems”.12
Each of these bodies will play an important role in how the Directive is applied in the Member States and across the EU. In the UK, the NCSC will operate as the CSIRT and the single point of contact, and as a technical authority on cyber security, all under the auspices of GCHQ.
Competent authorities
Competent authorities in the UK have been defined for each sector in the NIS Regulations. Schedule 1 of the Regulations lists the relevant government bodies that will be responsible for each sector. In the majority of cases, these are secretaries of state or ministers, who will delegate the authority to an agency under their control. The competent authority for DSPs is the Information Commissioner’s Office (ICO).
Competent authorities are the organisations or agencies that oversee compliance with laws and regulations implemented on the basis of the NIS Directive. There is no specified limit on the number of competent authorities a Member State can set and several countries other than the UK have assigned them on a sectoral basis.
The primary question that each Member State needs to answer is ‘What makes a competent authority competent?’ Recital 30 of the Directive offers guidance:
In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one national competent authority responsible for fulfilling the tasks linked to the security of the network and information systems of operators of essential services and digital service providers under this Directive.
As does Recital 61:
Competent authorities should have the necessary means to perform their duties, including powers to obtain sufficient information in order to assess the level of security of network and information systems.
Essentially, competent authorities should be able to both assess how organisations apply the principles and enforce them. As such, some authorities will doubtless be provided with additional funding or resources, and whole new agencies may be necessary for some sectors. The NIS Regulations provide specific powers for competent authorities in the UK to inspect OES and DSPs, as well as enforcement powers.
While competent authorities are regulators, the Directive makes it clear that cooperation, rather than dictatorial assertiveness, is key to making sure it is effective. As Recital 31 states:
As this Directive aims to improve the functioning of the internal market by creating trust and confidence, Member State bodies need to be able to cooperate effectively with economic actors and to be structured accordingly.
Fundamentally, the competent authorities should operate, where possible, to facilitate business rather than to repress it. ‘Cooperation’ is a common theme throughout the Directive, and leads into the requirements for cooperation across the EU.
CSIRTs
The Directive requires each Member State to establish a CSIRT. CSIRTs already exist in a number of countries, the most famous team almost certainly being the first – the CERT Division – which was established at Carnegie Mellon University in the US and helped to create US-CERT. In the UK, the CSIRT is the NCSC.
CSIRTs are specialist units charged with providing guidance and support in the event of a significant incident, and tracking incidents globally so that useful information and lessons can be disseminated. In relation to the NIS Directive, this means the CSIRT must be able to react appropriately to incidents that could have significant consequences for critical national ...