NIS Directive – 9th May is the Starting Point, not the Finishing Line.

The forthcoming NIS Directive is being studied keenly by Operators of Essential Services across the UK to understand the impact on their business. Whilst it does not have the same public attention as the more wide-ranging GDPR (another piece of EU cyber security legislation coming into force in May) NIS-D is of vital importance to the UK’s Critical National Infrastructure.

It is still true that there are a lot of details around the implementation of the NIS Directive that are yet to be finalised – government departments and other regulators who have been assigned as Competent Authorities (CA) are working to define what the specific implementation of the directive should look like for their relevant industries. However, just because these details have not yet been published, it does not mean that there are no activities that Operators can be starting.

Perhaps one of the most important first steps for Operators of Essential Services who will be subject to the Directive, is to baseline their current security state. This will generally be done by comparing what Operational Technology (OT) security measures they have in place against a recognised standard or best practice. Typically, IEC62443 is a good starting point, though other standards and guidelines are available and may be more relevant to that industry sector. It is expected that the CAs will not have sufficient cyber-trained staff available in the short term to run these benchmarking tests, so it is probable that cyber-services marketplace will be able to plug some of the gaps.

Another recommended action for Operators is to identify their CA and start the dialogue so that those channels of communication are open, and the CA can see you are engaged and willing to work towards improvement. The government will introduce a significant penalty regime for NIS-D of up to £17m, although it does have the view that penalties are a last resort. The conduct that will potentially lead to a fine are: failure to cooperate with the CA; failure to report a reportable incident; failure to comply with an instruction from the CA; failure to implement appropriate & proportionate security measures. It therefore goes to say that if you can foster a good relationship with your relevant CA, and work closely with them in terms of the security requirements they set, risk appetite and reporting channels, then it should be easier to avoid these large penalties.

We have to remember that the ultimate goal of the NIS Directive is to improve the resilience of essential services. Therefore, meeting the requirements set out in the directive will help your organisation to increase its resilience and can therefore reduce business risk. So it may help if we reframe the way we look at NIS-D, that rather than another onerous regulation that needs to be followed, to thinking of it as a set of good measures that can help business performance.

Rather than a cut-off point from when we must be compliant, for fear of the risk of fines,  we should view 9th May as the starting point of a journey to increasing the resilience of our systems – the time when we start with baselining what we already have and opening up a dialogue with the Competent Authorities to agree where and how we can improve. Good cyber security is not a destination, it is a way-of-life.

For more information, give us a call  on 01242 225 699 or drop a line to