News + NIS directive sdl today04/03/2021 508 1 5

share close

While the GDPR focuses on the rights of the data subjects and the obligations of relevant actors in processing activities, the NIS Directive concerns the national critical infrastructure of Member States and focuses on the main economic sectors.

The first EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems (the ‘NIS Directive’), entered into force in 2016 after 3 years of negotiations. It marked a step-change in cybersecurity as for the first time a common approach to increase the level of security of network and information systems across the Union was established. This law, therefore, constitutes the primary anchor for the EU cybersecurity architecture.

The reasoning behind the directive is quite understandable: we have entered an era where cybersecurity – or lack thereof – concerns us all. 

NIS Directive applies to organizations that deliver essential services within the EU. It divides them into two categories: Operators of Essential Services (OES) and Digital Service Providers (DSP). The member states are responsible for determining which businesses are in scope. In general, organizations that focus on energy, transport, financial infrastructure, healthcare, water, and digital infrastructure are classified as OES. Online marketplaces, cloud computing services, and search engines are classified as DSP, although that category is not defined as explicitly as the former.

Compliance is mandatory!

Regardless of how your organization is categorized, your responsibilities remain the same. The directive identifies two primary obligations. 

  1. you must take appropriate technical and organizational measures to manage threats to your networks and information systems. 
  2. you must notify the authorities—CERT-RO in Romania case—of any significant intrusion or security incident without undue delay.

To fulfill these requirements, you must follow several aspects:

1. Vulnerability scanning

In order to comply with the NIS Directive, you must have advanced vulnerability scanning systems and tools that are capable of identifying security risks proactively. 

2. Vulnerability management

The capabilities to run accurate processes of identifying, evaluating, treating, and reporting on security vulnerabilities in your systems and the software that runs on them is another issue you have to put in place in a coherent environment.

3. Incident management

Superior incident management capabilities should be in place, allowing you to minimize the impact of cybersecurity attacks and restore services as fast as possible.

4. Reporting

Your organization must adopt procedures for incident reporting to ensure that significant cybersecurity incidents are reported to CERT-RO in legal time.

5. Real-time incident simulations

To demonstrate compliance, you must regularly carry out real-time incident simulations and keep a record.

 6. Logging data

An OES or DSP must have a record of logging data that will allow authorities to assess the security of your networks and information systems.

7. Technical and compliance security audits.

Finally, there is vital to keep all security audit results for future references in an easy accessing, coherent and filtering way. 

The chain is important.

Nonetheless, as an OES or a DSP, you are likely to possess a complex supply chain. When hundreds of third-party suppliers all interface with your network and information systems, your threat landscape increases commensurately. In order to meet the demands of the NIS Directive, you will have to be able to mitigate the risks involved in your supply chain and propagate your cybersecurity standards throughout your entire value network.

Centraleyezer – the power tool for a clean NIS Directive compliance.

The message behind the NIS Directive is clear: implementing an effective cybersecurity framework is an essential part of doing business in our times. When that many people rely on your services, the infrastructure that makes those services possible must be secure against threats – both from without and within.

At SANDLINE we developed one of the most powerful tools designed to lift the burden of NIS compliance: CENTRALEYEZER!

We assist you to develop all the steps, all the requirements. We have vast experience in public entities, organizations, and service providers. 

Just remember, NIS directive is mandatory and it is by far not an easy task to implement. 


Written by: sdl

Tagged as: , , .

Rate it
Previous post