Who does the NIS Directive affect?

By Sarah Brown and Thomas Wood

25 May 2018, when the EU’s GDPR (General Data Protection Regulation) came into effect, is a date stuck in all business minds because of the amount of news coverage surrounding it. However, the EU’s NIS Directive (Directive on security of network and information systems), whose local conditions should have been enforced on 10 May 2018, was easier to miss. But does it affect your organisation?

What is the NIS Directive?

We use technology regularly throughout our day, whether it’s at work using the Internet or at home on our mobiles. It’s part of modern life that we have come to accept and while we may not necessarily know or care how technology works, we do want assurance that it keeps working in the way we expect. This is how the NIS Directive came about. Its main aim is to achieve a high, common level of information security across the EU, so we can protect and ensure the continuity of our essential services.

Who needs to comply with the NIS Directive?

The organisations within scope can be split into two different categories:

  • OES (operators of essential services)

OES are effectively critical infrastructure organisations. They’re defined as organisations providing “a service which is essential for the maintenance of critical societal and/or economic activities”. Specifically, the provision of the essential service must depend on network and information systems, to which an incident would have “significant disruptive effects” for providing that service.

  • DSPs (digital service providers)

These are organisations that provide digital services “at a distance, by electronic means and at the individual request of a recipient of services”. Annex III of the Directive names the following organisations as DSPs:

  • Online search engines
  • Online marketplaces
  • Cloud computing services

Recital 57 states that “Member States should not identify digital service providers, as this Directive should apply to all digital service providers within its scope”. This is due to DSPs’ cross-border nature – their services can easily be used across borders, unlike OES (which is why member states are expected to identify the latter).

How can we help?

In the UK, the NIS Directive were enforced via the NIS Regulations (Network and Information Systems Regulations 2018). Consisting of more than 100 different documents, our new NIS Regulations Documentation Toolkit could save you hours of writing up all the different policies and procedures needed to demonstrate compliance with the Regulations. Developed by industry experts, the toolkit comes in Microsoft Word and Excel format, making it easy for you to edit and customise to suit your business needs.

For more information on the NIS Regulations Documentation Toolkit please visit here.