Network and Information Systems Regulations
What are the Network and Information Systems Regulations and who do they apply to?
On 10 May 2018 the EU Network and Information Systems (NIS) Directive became law in the UK as the Network and Information Systems Regulations 2018. They mandate that the ‘Operators of Essential Services (OES)’ who provide electricity, oil, gas, water, healthcare and transport take appropriate and proportionate security measures to manage risks to their network and information systems and notify serious incidents to the relevant Competent Authority. Competent Authorities are the organisations such as Ofgem; the Department for Transport; the Department for Environment, Food & Rural Affairs; the Department for Business Energy & Industrial Strategy; Ofcom; the Department for Health, and the Civil Aviation Authority, who will regulate compliance and take enforcement action where necessary, including issuing notices and imposing substantial financial penalties.
What does it mean for the Operators of Essential Services?
Unlike GDPR where the ICO as the regulator takes a retroactive interest once a data breach has happened, the UK Competent Authorities are taking a proactive approach by implementing an assessment framework including an audit programme to encourage their respective OES to prevent incidents happening. Most of the Competent Authorities have confirmed that they will be implementing the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) as their compliance auditing tool.
Several of the Competent Authorities have initiated their auditing by instructing OES to assess themselves against the CAF and submit their findings supported by independent assurance from a third party approved by the NCSC.
How can Arcanum help?
As an NCSC Certified Cyber Security Consultancy (CCSC) for Risk Assessment and Risk Management, we are an approved source of help and advice. Although the CAF is relatively new, we already have experience of helping OES conduct their internal audits and assisting them to fix the problem areas.