New! The Security Ratings report is now the Executive Report. Request your report to see enhanced analysis such as your rating, likelihood of ransomware incidents, and likelihood of data breach incidents.
EU NIS Directive: The European Union’s First Cybersecurity-focused Legislation
Tags:
Last month, the EU NIS Directive (Directive on Security of Network and Information Systems) went into effect. This directive is the first EU-wide piece of legislation specifically focused on cybersecurity. Its goal is to “achieve a high common level of security of network and information systems within EU.” Network and information systems, and the essential services they support, play a vital role in society; their reliability and security are essential to everyday activities.
The EU NIS Directive has three main components: (1) improving cybersecurity preparedness of each Member state; (2) increasing cross-border collaboration among EU Member states; and (3) improving risk management and incident reporting obligations for “operators of essential services and digital service providers” by requiring National Supervision of Critical Sectors in each Member state. The impact of the Directive is two-fold and has implications for both the EU Member State Computer Emergency Response Teams (CERTs) as well as the Operators of Essential Services (OES).
With the focus of the Directive on increasing National Security, every EU Member state was required to transpose the Directive into national law by May 9, 2018. Each Member state then has until May 2019 (one year) to provide cybersecurity assessments of their country’s “operators of essential services.”
The Directive is wide-reaching, and includes “operators of essential services” (OES) in the following sectors: energy, transport, banking, financial market infrastructures, healthcare, and digital infrastructure.
The Directive also includes important digital businesses, referred to as "digital service providers" (DSPs), who will also be required to take appropriate security measures and to notify “substantial incidents” to the competent authority. This category includes online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online), cloud computing services, and search engines.
For EU Member State CERTs and other European regulatory agencies, Bitsight provides the ability to rapidly assess the cybersecurity of third parties (i.e. operators of essential services) and enables EU Member states to continuously monitor (i.e. “supervise”) the cybersecurity of those third parties. EU Member state CERTs can leverage Bitsight to continuously monitor and assess the cybersecurity of the organizations deemed “operators of essential services” within their country through both Security Ratings and Sovereign Security Ratings.
For OES, the Directive requires them “to take appropriate security measures and to notify serious incidents to the relevant national authority.” Security measures include: (1) preventing risk, (2) ensuring security of network and information systems; and (3) handling incidents in a way that prevents and minimizes the impact on IT systems. Bitsight provides organizations the ability to continuously monitor their own security posture, be alerted to potential exploitations, and to leverage forensics data to quickly respond to security incidents.
As May 2019 approaches, institutions will need to be prepared to meet the Directive’s guidelines. Not only will they have to comply with these regulations, but they will also need ways of monitoring and assessing both their own security posture and that of their OES. Bitsight Security Ratings and Sovereign Security Ratings are the optimal solutions for continuous first and third party cyber risk management.