Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity, water, and health services, to the provision of passenger and freight transport. Their reliability and security are essential to everyday activities.
The EU recognised that any cyber security incident could affect a number of Member States and in 2013 put forward a proposal to improve the EU's preparedness for a cyber attack. This proposal became a directive in August 2016, giving Member States 21 months to embed the Directive into their respective national laws.
The UK will be implementing this EU directive on the security of Networks and Information Systems (known as the NIS Directive). The actual implementation is being led by the Department for Digital, Culture, Media and Sport (DCMS), we'll be providing support along with the lead government departments for the relevant sectors. DCMS recently undertook a public consultation on the government proposals to implement the directive – the government response to this will be published in November.
As we have seen from numerous cyber security incidents these systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. Incidents affecting any of these systems could cause significant damage to the UK's infrastructure, economy, or result in substantial financial losses. The magnitude, frequency and impact of network and information system security incidents is increasing. Recent events such as the WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have.
There is therefore a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare.
Here we'll explain a bit more about our role in - and contribution to - NIS implementation in the UK, highlight the key messages, and give details on how those interested or affected can get involved. We've also published the top level objectives and the narrative explaining them in a little more detail.
What is the NIS Directive?
The NIS Directive aims to raise levels across the EU of the overall security and resilience of network and information systems. The Directive provides the legal footing to:
Ensure that Member States have in place a national framework (eg a National Cyber Security Strategy), teams (eg Computer Security Incident Response Team (CSIRT)), and a national NIS competent authority so that they are equipped to manage a cyber security incident.
Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States will also need to participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents and as well as sharing information about risks.
Ensure that businesses within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. Engagement with industry is therefore crucial in the implementation of the directive.
The deadline for member states transposing the Directive into domestic legislation is 9 May 2018. As a result, the clock is ticking on implementing this in the UK.
Who does the NIS Directive primarily involve?
Companies and organisations identified as either operators of essential services (OES) or Competent Authorities (CAs) are primarily involved. The criteria for identifying OES and CAs in the UK can be found within the public consultation document (please note: the public consultation has now closed).
Some sectors are exempt from some aspects of the Directive where there are provisions within their existing regulations which are, or will be, at least equivalent to those the NIS Directive specifies (eg finance or civil nuclear sectors). The technical guidance we produce will be widely applicable, and all sectors should take note of it.
What is the NCSC’s role in preparing for the implementation of the NIS Directive?
The NCSC is providing technical support and guidance to other government departments and CAs through:
a set of cyber security principles for securing essential services
a collection of supporting guidance
a Cyber Assessment Framework (CAF), incorporating indicators of Good Practice
implementation guidance and support to CAs to enable them to:
adapt the NCSC NIS principles for use in their sectors
plan and undertake assessments using the CAF, and interpret the results.
The 14 proposed cyber security principles for securing essential services have been published on our site and were included within the public consultation led by DCMS.
NCSC is currently working to develop and signpost supporting guidance for the principles and design a generic Cyber Assessment Framework (CAF) for use by CAs.
Once the NIS Directive is live in May 2018, we expect our role to be:
Single Point of Contact (SPOC) - we'll act as the contact point for engagement with EU partners, coordinating requests for action or information and submitting annual incident statistics.
CSIRT (Computer Security Incident Response Team) - we will receive all incident reports and will provide advice and support on the cyber aspects to operators and Digital Service providers in the event of an incident. We will be responsible for the dissemination of appropriate risk and incident information to Competent Authorities and other relevant stakeholders.
Technical Authority on Cyber Security - the NCSC will support CAs with security advice and guidance and act as a source of technical expertise. We'll tailor some generic guidance to individual sectors to support CAs.