Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity, water, and health services, to the provision of passenger and freight transport. Their reliability and security are essential to everyday activities.
The EU recognised that any cyber security incident could affect a number of Member States and in 2013 put forward a proposal to improve the EU's preparedness for a cyber attack. This proposal became a directive in August 2016, giving Member States 21 months to embed the Directive into their respective national laws.
The UK will be implementing this EU directive on the security of Networks and Information Systems (known as the NIS Directive). The actual implementation is being led by the Department for Digital, Culture, Media and Sport (DCMS), we'll be providing support along with the lead government departments for the relevant sectors. The government proposals on how the directive will be implemented have recently been published on the DCMS website.
As we have seen from numerous cyber security incidents these systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. Incidents affecting any of these systems could cause significant damage to the UK's infrastructure, economy, or result in substantial financial losses. The magnitude, frequency and impact of network and information system security incidents is increasing. Recent events such as the WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have.
There is therefore a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare.
Here we'll explain a bit more about our role in - and contribution to - NIS implementation in the UK, highlight the key messages, and give details on how those interested or affected can get involved. We've also published the top level objectives, principles and the narrative which explains them.
What is the NIS Directive?
The NIS Directive aims to raise levels across the EU of the overall security and resilience of network and information systems. The Directive provides the legal footing to:
- Ensure that Member States have in place a national framework (eg a National Cyber Security Strategy), teams (eg Computer Security Incident Response Team (CSIRT)), and a national NIS Competent Authority (CA) so that they are equipped to manage a cyber security incident.
- Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States will also need to participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents and as well as sharing information about risks.
- Ensure that businesses within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. Engagement with industry is therefore crucial in the implementation of the directive.
The deadline for member states transposing the Directive into domestic legislation is 9 May 2018. As a result, the clock is ticking on implementing this in the UK.
Who does the NIS Directive primarily involve?
Companies and organisations identified as either operators of essential services (OES) or Competent Authorities (CAs) are primarily involved. The criteria for identifying OES and CAs in the UK can be found within the public consultation which DCMS have launched.
Some sectors are exempt from some aspects of the Directive where there are provisions within their existing regulations which are, or will be, at least equivalent to those the NIS Directive specifies (eg finance or civil nuclear sectors). The technical guidance we produce will be widely applicable, and all sectors should take note of it.
What is the NCSC’s role in preparing for the implementation of the NIS Directive?
The NCSC is providing technical support and guidance to other government departments and CAs through:
- a set of cyber security principles for securing essential services
- a collection of supporting guidance
- a Cyber Assessment Framework (CAF), incorporating indicators of Good Practice
- implementation guidance and support to CAs to enable them to:
- adapt the NCSC NIS principles for use in their sectors
- plan and undertake assessments using the CAF, and interpret the results
The 14 proposed cyber security principles for securing essential services have been published on our site and as part of the public consultation being led by DCMS.
How can we get involved? What about questions or feedback?
DCMS are conducting a public consultation to seek and consolidate views from industry, regulators, and other interested and affected parties on the Government’s plans to transpose the Directive into UK legislation. It sets out the Government’s proposed implementation strategy and asks a series of questions on a range of detailed policy issues.
We would encourage any affected or interested party to engage in the process. In particular the NCSC would like feedback on the cyber security principles and the proposed approach to the provision of technical support and guidance to ensure they meet the needs of OES and CAs. The NIS Directive is an important regulation which all operators of essential services need to be aware of – this consultation provides a valuable opportunity to address any issues, concerns or queries before implementation.
Visit DCMS’ online tool to submit your response, or you can send hard copy responses to:
NIS Directive Team Department for Culture, Media & Sport
100 Parliament Street
The closing date for responses is 11.45pm on 30 September 2017.
All questions and feedback on the NIS Directive should be directed to DCMS through their public consultation website. The NIS Directive is likely to be a key topic for discussion at many of the Information Exchanges and engagements over the coming weeks and months. Questions and feedback will be vital in addressing the implementation of the directive.
After the consultation and the agreement of the principles, the NCSC will work to develop guidance to support the principles and provide a generic Cyber Assessment Framework (CAF) for use by CAs.
Once the NIS Directive is live in May 2018, we expect our role to be:
- Single Point of Contact (SPOC) - we'll act as the contact point for engagement with EU partners, coordinating requests for action or information and submitting annual incident statistics.
- CSIRT (Computer Security Incident Response Team) - we will receive all incident reports and will provide advice and support on the cyber aspects to operators and Digital Service providers in the event of an incident. We will be responsible for the dissemination of appropriate risk and incident information to Competent Authorities and other relevant stakeholders.
- Technical Authority on Cyber Security - the NCSC will support CAs with security advice and guidance and act as a source of technical expertise. We'll tailor some generic guidance to individual sectors to support CAs.