- General Introduction
- What does the NIS Directive cover and when will it be implemented into UK law?
- Essential Services: Who does the NIS Directive apply to?
- The NCSC role in the implementation of the NIS Directive
- How our guidance is intended to be used - the outcome based approach
- The relationship between NCSC and Competent Authorities
1. General introduction
Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.
The EU recognised that any cyber security incident could affect a number of Member States and in 2013 put forward a proposal to improve the EU's preparedness for a cyber attack. This proposal became the directive on the security of Networks and Information Systems (the NIS Directive) in August 2016, giving Member States 21 months to embed the Directive into their respective national laws.
As we have seen from numerous cyber security incidents these systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. Incidents affecting any of these systems could cause significant damage to the UK's infrastructure, economy, or result in substantial financial losses. The magnitude, frequency and impact of network and information system security incidents is increasing. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have.
There is therefore a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare.
The NIS Directive has been implemented at the same time as the new General Data Protection Regulations (GDPR), which require holders of personal data to provide security assurances around that data, and to report on any incidents that might affect them.
2. What does the NIS Directive cover and when will it be implemented into UK law?
The NIS Directive aims to raise levels of the overall security and resilience of network and information systems across the EU. The Directive provides the legal footing to:
a Public Consultation
- Ensure that Member States have in place a national framework so that they are equipped to manage cyber security incidents and oversee the application of the Directive. This includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority, or competent authorities.
- Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents as well as sharing information about risks.
- Ensure that organisations within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES are required to take appropriate and proportionate security measures to manage risks to their network and information systems, and they are required to notify serious incidents to the relevant national authority. The participation of industry is therefore crucial in the implementation of the directive.
3. Essential Services: Who does the NIS Directive apply to?
Companies and organisations identified as either operators of essential services (OES) or Competent Authorities (CAs) are primarily involved. The criteria for identifying OES and the list of CAs in the UK can be found within the NIS Regulations.
Some sectors are exempt from some aspects of the Directive where there are provisions within their existing regulations which are at least equivalent to those the NIS Directive specifies (eg finance and civil nuclear sectors). The technical guidance NCSC has produced in support of the UK’s implementation of NIS Directive is widely applicable, and all sectors should take note of it.
4. The NCSC role in the implementation of the NIS Directive
The NCSC is providing technical support and guidance to other government departments, Devolved Administrations, CAs and OES through:
- a set of cyber security principles for securing essential services
- a collection of supporting guidance
- a Cyber Assessment Framework (CAF) incorporating indicators of good practice
- implementation guidance and support to CAs to enable them to:
- adapt the NCSC NIS principles for use in their sectors
- plan and undertake assessments using the CAF and interpret the results
The NCSC has the following three roles in support of the NIS Directive:
- Single Point of Contact (SPOC) - we are the contact point for engagement with EU partners on NIS, coordinating requests for action or information and submitting annual incident statistics.
- CSIRT (Computer Security Incident Response Team) - incidents that are believed to be reportable under the NIS Directive MUST be reported to the appropriate Competent Authority. Where they are identified or suspected of having a cyber security aspect the operator is also strongly encouraged to contact NCSC for advice and support as appropriate.
- Technical Authority on Cyber Security - the NCSC supports OES and CAs with cyber security advice and guidance and acts as a source of technical expertise. We may work with OES and CAs to tailor some generic guidance to individual sectors if necessary.
The NCSC has no regulatory role in NIS.
5. How our guidance is intended to be used - the outcome-based approach
The implementation of the NIS Directive is an opportunity to put mechanisms in place that drive real improvements to national cyber security. NCSC is committed to working constructively with CAs and OES to help ensure that NIS regulatory requirements are defined and used to promote and support effective cyber risk management. This objective has shaped the NCSC approach throughout.
While recognising the risk of over-simplifying a complex subject, there are two basic approaches available when aiming to drive change towards a recognised desirable end-state. The first approach is to create a set of prescriptive rules that, if closely followed, will result in achieving the desirable end-state. The second approach is to define a set of principles that, if consistently used to guide decision-making, will collectively result in the desirable end-state. Much has been written about the advantages and disadvantages of the two approaches, but it is the NCSC view that the principles-based approach is more effective as a way of driving improvements to cyber security in the context of the NIS Directive.
To work well, a set of prescriptive rules needs to cater for all eventualities. When this is possible, and the rules are followed, the approach can deliver what is required. However, in complex topic areas and rapidly changing circumstances, it may be impossible to cater for all eventualities. In such cases, which include cyber security, all attempts to devise and apply a set of prescriptive rules is almost certain to lead to unintended consequences, resources being badly misallocated, and limited benefit.
While it is not possible to devise an effective set of prescriptive rules for good cyber security, it is possible to state a set of principles as a guide to cyber security decision-making. NCSC has developed such a set of principles for the implementation of the NIS Directive.
The NIS cyber security principles define a set of top-level outcomes that, collectively, describes good cyber security for operators of essential services. Each principle is accompanied by a narrative which provides more detail, including why the principle is important. Additionally, each principle is supported by a collection of relevant guidance which both highlights some of the relevant factors that an organisation will usually need to take into account when deciding how to achieve the outcome, and recommends some ways to tackle common cyber security challenges.
Some organisations may be concerned that the principles and guidance are too vague. It is important to recognise that the NCSC intent is not to produce an all-encompassing cyber security “to do” list – an unachievable goal in any case. Organisations understand their own business better than any external entity, and should be capable of taking informed, balanced decisions about how they achieve the outcomes specified by the principles. NCSC intends the principles and guidance to be used in the following way by operators of essential services:
- Understand the principles and why they are important. Interpret the principles for the organisation.
- Compare the outcomes described in the principles to the organisation’s current practices. Use the guidance to inform the comparison.
- Identify shortcomings. Understand the seriousness of shortcomings using organisational context and prioritise.
- Implement prioritised remediation. Use the guidance to inform remediation activities.
If an OES experiences an incident that has the potential to compromise the security of personal data, they may also be required to report the incident to the Information Commissioner's Office (ICO), under the GDPR, even if the incident does not warrant reporting under the NIS Directive. For more information on complying with GDPR, readers can consult the NCSC's GDPR Security Outcomes guidance, which aligns closely to the NIS cyber security principles.
6. The relationship between NCSC, Competent Authorities and Operators of Essential Services
While the implementation of the NIS Directive has significantly expanded the scope of cyber security regulation in the UK, it does not fundamentally alter the role of NCSC (although we have taken on the formal roles of CSIRT and Single Point of Contact within the national framework). The key point is that regulatory responsibilities under NIS are carried out by the Competent Authorities (CAs), not NCSC. Within the general UK cyber security regulatory environment, including NIS, NCSC’s aim is to operate (as now) as a trusted, expert and impartial advisor to all interested parties.
To help ensure that the Directive delivers the intended improvements in cyber security, NCSC supports the NIS CAs in a number of specific ways. For example, we assist NIS CAs by developing cyber security standards and guidance, and by helping them build their internal cyber security expertise through accessing suitable training.
However, some important constraints govern how NCSC works with CAs, in order to maintain the benefits that result from the open and collaborative relationship NCSC enjoys with most of the organisations that fall under the scope of NIS. There are strong restrictions on the type of cyber security information that NCSC shares with the CAs, and those restrictions are designed to address concerns about how information considered sensitive by industry and other organisations is handled in the NIS regulatory environment. And, while NCSC is advising the CAs on how to do cyber security assessments against the NIS standards, we will not be undertaking regulatory assessments on behalf of the CAs.