Berlingske Business
17:42

NIS Directive: One Small Step for Man, One Giant Leap for Digital-Society

billede

The Internet is often referred to as the Wild West, a relatively ungoverned space, yet the European Union (EU) took a huge step forward in coming to agreement on what should be included in the forthcoming Network and Information Security (NIS) Directive. This landmark directive – the first time the EU has legislated on cybersecurity – aims to raise cybersecurity and resilience capabilities across the EU’s 28 member nations.

What does this mean for businesses?
First and foremost, the December 7, 2015 agreement now moves the directive into the more formal steps – it will progress from concept into application via the development of national implementing regulations. Until now it’s been easy to view this as a distant goal, timelines immediately become more predictable. Furthermore, with a defined scope of what types of organisations are covered and how, each should be looking to define their own plan now to ensure relevant compliance.

Who does it apply to?
The NIS directive has requirements at both a member state level and for businesses. Member states must have a defined national cyber strategy and capabilities to manage incidents that could impact digital society, by establishing (if they don’t already have one) a national CSIRT or computer security incident response team.
The directive specifically calls out obligations for “operators of essential services”, or those entities that are generally part of a country’s Critical National Infrastructure. The directive lists those essential services, which include as examples finance, healthcare, and energy, and requires them to have state-of-the-art cybersecurity that notifies, without undue delay, when they have significant incidents that could impact the continuity of the services they provide.
Also included are digital service providers (which was an area of much debate) and include the likes of e-commerce platforms, search engines, and cloud service providers. While the plan is that the requirements will be lighter on this group, their inclusion is a clear reflection of just how core these services are becoming to our increasingly digital society.

What should you do next?
Now that the scope has been settled, you should be able to clearly validate if you, your business partners, and/or your supply chain will be covered, so you can validate what the implications will be for your business.
Closely monitor implementation, especially by member states. Once the directive is published in the Official Journal of the European Union (which should occur shortly), member states will have 21 months to enact implementation regulations or laws. Timelines will become much clearer, which will allow you to define your plan for compliance.
At the same time, monitor for the General Data Protection Regulation which has similarly reached agreement. Although a separate piece of legislation, it is on a parallel track, and its conclusion will likely add to your requirements – pay attention to its scope and timelines.

The right mindset is key when thinking about compliance
In my experience, as businesses review the implications of the legislation, they can easily over focus in on the new requirement to notify. This is due to response being the largest gap for many in their current capabilities; to date, many had no mandate to do so. However, before focusing your energies on response, you should first determine if you are effectively doing all you can to prevent cyber incidents from occurring in the first place. The more you prevent, the less you will require responsive capabilities.
Cybersecurity continues to evolve at a rapid pace, yet it’s very easy to slip into the habit of taking the same security measures that worked in the past. Ask yourself when you last changed a security process, or reviewed your capabilities, and whether they remain state of the art. More rudimentary is: how do you measure success; just what is the yardstick that allows you to validate the need for change? In the dynamic cybersecurity arena, continuing to do the same old things because they worked in the past typically means you are slowly slipping away from state-of-the-art capabilities.

Forsiden lige nu

Til forsiden

Business anbefaler

Gratis breaking news på mobilen

Send BUSINESS BREAK til 1929 og modtag en SMS med en bekræftelse. Det er gratis - tilmelding koster kun almindelig takst. Du kan til hver en tid afmelde tjenesten igen.

Afmeld: sms BUSINESS BREAK STOP til 1929

Tilmeld Afmeld

Business Nyhedsbrev

Få breaking news og det bedste overblik fra Business.dk morgen og eftermiddag - eller modtag hver uge et prioriteret overblik over investorstof, privatøkonomi, ejendomme, digtal, karriere, media og vækst.

Se alle nyhedsbreve
 

Business i billeder

Se alle

BrandView Hvad er Brandview?

BrandView er en service fra Berlingske Media, hvor virksomheder har mulighed for at kommunikere deres specialviden direkte til brugere og læsere af Berlingske.
Dette kan gøres på print i Berlingske og Berlingske Business, eller online på b.dk og business.dk.

Ønsker du at vide mere om BrandView, bedes du kontakte content marketing afdelingen Public Impact via e-mail: info@publicimpact.dk.

<p>Henrik Olejasz Larsen, investeringsdirektør i Sampension</p>
Sponseret

Aktiemarkederne ligger historisk set forholdsvis højt. Det afspejler, at det går rigtig godt i den underliggende økonomi, forklarer investeringsdirektør.Arbejdsløsheden er rekordlav i både Japan og US...

Business Events Se alle

Business.dk anvender cookies til at huske dine indstillinger, statistik og at målrette annoncer. Denne information deles med tredjepart. Læs mere

Kære læser. Velkommen til business.dk.

Vi kan se, at du har installeret en adblocker, så vi ikke kan vise dig annoncer. Det er vi kede af, fordi indtægter fra annoncer er en helt afgørende årsag til, at vi dagligt kan tilbyde dig journalistik af høj kvalitet.

Vi håber derfor, at du i din adblocker vil tillade visning af annoncer fra business.dk Det er nemt og tager kun et øjeblik: Se hvordan du gør her.

Med venlig hilsen
Berlingske Business

Tilbage til artiklen