CHAPTER 15: NIS DIRECTIVE

‘There are only two types of companies: those that have been hacked, and those that will be.’¹⁹ – Robert Mueller

Critical infrastructure service providers must follow several regulations. In the EU, critical infrastructure service providers must comply with both EU legislation and legislation imposed at the national level. EU laws are imposed, generally, through one of two models: directives and regulations. Regulations apply directly and need not be adopted by the member states to take effect, while directives instruct the member states to create domestic legislation to put the directive into effect.

CII service providers should be aware of the Network and Information Systems (NIS) Directive (Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union). By 9 May 2018, EU member states must adopt and publish the laws and administrative provisions necessary to comply with this directive.

The NIS Directive is the EU’s attempt to raise overall cyber security levels among infrastructure service providers in the EU and promote cooperation between member states. The Directive regulates CII service providers in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors.

Article 14 of the Directive defines the requirements for security and for incident notification as they apply to operators of essential services. To slightly paraphrase:

• Take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations.

• Take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services.

• Notify, without undue delay, the competent authority or the CSIRT (Computer security incident response team) of incidents having a significant impact on the continuity of the essential services they provide.

Each member state has to impose these within national regulations. There are probably already several member states whose regulations include most or part of the requirements.

The Directive also sets obligations for member states’ national competent authorities, single points of contact and CSIRTs. Depending on the country, these functions can be fulfilled by one or more organisations. Several countries have created cyber security agencies that carry out all the functions.

According to the Directive, each member state:

• Shall adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures with a view to achieving and maintaining a high level of security of network and information systems (Article 7, clause 1).

• Shall designate one or more national competent authorities on the security of network and information systems (‘competent authority’) (Article 8, clause 1).

• Shall designate a national single point of contact on the security of network and information systems (‘single point of contact’) (Article 8, clause 3).

• Shall designate one or more CSIRTs (Article 9, clause 1).

• Shall establish a list of the services [essential for maintaining critical societal and/or economic activities] (Article 5, clause 3).

Annex I of the Directive describes the requirements and tasks of CSIRTs:

• CSIRTs ensure a high level of availability of their communications services.

• CSIRTs’ premises and the supporting information systems shall be located in secure sites.

• CSIRTs shall be equipped with an appropriate system for managing and routing requests, in order to facilitate handovers.

• CSIRTs shall be adequately staffed to ensure availability at all times.

• CSIRTs shall rely on an infrastructure the continuity of which is ensured. To that end, redundant systems and backup working space shall be available.

According to Article 15 of the Directive, the national competent authority should have the powers and means to require operators of essential services to provide:

• The information necessary to assess the security of their network and information systems, including documented security policies.

• Evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and, in the latter case, to make the results thereof, including the underlying evidence, available to the competent authority.

Since the Directive is relatively general in wording, it is necessary to develop several specific instructions and find a common methodology for consistent application.

Lesson 15: Follow regulations to improve cyber resilience of critical infrastructure services.