Network and Information Systems Regulations
What are the NIS 2018 Regulations?
The Network and Information Systems Regulations (NIS Regulations) aim to raise levels of cyber security and resilience of network and information systems which are critical for the delivery of digital services and essential services in the UK.
The Regulations provide legal measures to protect essential services and infrastructure by improving the security of their Network and Information Systems and maturing their resilience.
Who do the NIS regulations apply to?
The EU NIS Directive was transposed into UK law as the NIS Regulations, which came in to force on 10th May 2018.
If you are a relevant Digital Service Provider (DSP), or an “Operator of Essential Services” (OES) for Transport, Energy, Water Supply or Healthcare, then the NIS Regulations apply to you.
What do you have to do to comply?
OES and DSP must take: “appropriate and proportionate technical and organisational cyber-security countermeasures to manage the risks to their system on which the essential (or digital) service relies.”
These measures include:
- Assessing risk;
- Applying levels of protection to systems and facilities;
- Preventing and minimising the impact of incidents;
- Reporting incidents to the relevant authority;
- Business continuity management;
- Monitoring and testing of processes and procedures;
- Compliance with international standards.
Who monitors NIS compliance in the UK?
Competent Authorities (CA) regulate compliance and take enforcement action where necessary, including issuing notices and imposing substantial financial penalties.
They comprise Ofgem; Department for Transport; Department for Environment, Food, & Rural Affairs; Department for Business Energy & Industrial Strategy; Ofcom; Department for Health, and The Civil Aviation Authority.
There are variations between CAs in England, Scotland, Wales and Northern Ireland with different organisations having responsibility for a particular sector. For the Electricity sector, in England, Scotland and Wales, the CA is the Secretary of State for Business, Energy and Industrial Strategy and Ofgem (Joint Competent Authorities) and in Northern Ireland, the CA is the Department of Finance.
The CA for DSPs is the Information Commissioner.
The Department for Digital, Culture, Media & Sport (DCMS) has the role of oversight of implementation of the NIS regulations across the entire UK.
Impact of Brexit on the Regulations
The NIS Regulations have been enacted in to UK law which means that Brexit does not change anything if you are in the UK.
Assessing Compliance
The National Cyber Security Centre (NCSC) is the United Kingdom’s National Technical Authority for advice and assistance on cyber security. It is supporting the CAs, providing offering technical advice and a Single Point of Contact (SPOC) for its Computer Security Incident Response Team (CSIRT).
The NCSC produced the Cyber Assessment Framework (CAF) collection of guidance for CAs which consists of 14 cyber security & resilience principles incorporating indicators of good practice. The CAF is intended for use by OES and DSP to provide a common framework for CAs to assess compliance against the security principles and guidance.
The CAF may be completed by an OES or DSP itself or it may choose to obtain the help of a suitably qualified organisation to complete it on their behalf.
How Arcanum can Help?
Arcanum is certified by the NCSC as trusted provider of cyber security risk assessment and management services. Read more here.
We are certified by the NCSC under the Professional Services scheme, and have the experience and expertise to support the CAF process for the CAs and to provide risk assessment and management advice to OES and DSPs.
Arcanum has been conducting cyber risk and resilience assessments for many years, helping organisations to prioritise and manage their security risks. All of our cyber security experts are highly experienced professionals and hold national level security vetting.
We have been working with the CAF since its inception in 2018, using it together with other recognised risk management standards, for example, ISO/IEC 27001 Information Security Management Systems; ISO 27005 Risk Management, and IEC 62443 Security for Industrial Automation and Control Systems.
Arcanum will help your organisation to meet the requirements of the NIS Regulations and to maintain compliance.
To read more about the Cyber Assessment Framework (CAF) click here.
For more information get in touch today.
Direct email: marie.caruso@arcanumis.com or call: 029 2278 4452