NIS Directive calls for more stringent cybersecurity practices

The Directive on Security of Network and Information Systems (the NIS Directive) is now in effect in all EU member states as part of an overall effort to protect end user entities from cyberattacks and threats. Against this backdrop, choosing security solutions providers that have the necessary knowledge and expertise in cybersecurity is key.
 
That was the point raised by Axis Communications in a recent blog post titled “NIS – do your security systems comply with the latest directive?”
 
The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It was proposed by the European Commission and had to be adopted by all EU member states by May 9 this year.
 
According to the NIS website, the NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring: 1) member states' preparedness by requiring them to be appropriately equipped; 2) cooperation among all the member states, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among member states; and 3) a culture of security across sectors which are vital for EU’s economy and society and moreover rely heavily on ICTs.”
 
While NIS received less media coverage than the EU’s General Data Protection Regulation (GDPR), its importance is nonetheless not to be ignored, according to the Axis post. “The NIS Directive is in reality far more important, addressing critical infrastructure services such as energy, transport, finance and digital infrastructure. Any business that classes itself as an operator of essential services (OES) or a digital service provider (DSP) must ensure compliance,” it said.
 

Key requirements

 
According to the post, companies must meet the following technical and organizational requirements to be NIS-compliant. The technical requirements include the following:
 

• An understanding of assets and a mechanism to identify unknown devices
• A mature vulnerability management program
• Mature threat detection systems, including detecting, identifying, and reporting capabilities
• Effective incident reporting mechanisms, including systems to record and report incidents within 72 hours of detection
• Mature incident management
• Response and recovery plans.

 
And the organizational requirements consist of:
 

• Appropriate management policies and processes to govern their approach to the security of network and information systems
• An organisational approach to risk management
• Understanding and managing security risks throughout the supply chain
• Appropriate staff training and awareness regarding network and information system security.

 

Selecting the right technology vendor

 
Similar to GDPR, the directive imposes significant fines for non-compliance – up to 17 million pounds in the U.K., for example, according to Axis – which can severely impact an end user organization’s operations. That’s why compliance must be ensured, and selecting the right security vendor is key in this regard, the post said.
 
“When considering a new partner, businesses must find out if they have a device inventory that allows them to track assets; whether they have a vulnerability management policy and how they communicate this with the channel; and if they have any industry-recognized certifications, such as Cyber Essentials,” it said.
 
Other questions that should be asked of the supplier include the following, Axis said. “Furthermore, are they in control of their own supply chain and do they offer suitable training? This is important as although suppliers alone won’t make a firm compliant with the NIS Directive, working with technology developed and deployed without security in mind could potentially compromise the integrity of a network,” it said. “The right partner will not only help you meet regulatory requirements, but they’ll also provide you with cutting-edge, technological solutions that will help your business to run safely and smartly.”