The EU’s Network and Information Systems (NIS) Directive entered into force in August 2016 with the aim of increasing the resilience of cybersecurity defences across Europe. The clock is now ticking with EU member states having until 9th May 2018 to transpose the NIS Directive into their own national laws.

The NIS Directive provides legal measures that will boost the overall level of cybersecurity in the EU, particularly for industries and organisations that provide services essential to everyday life and the security of a nation. These organisations will be required to report incidents to a regulatory authority and will face fines of up to £17m if breaches are down to failures in cybersecurity defences.

Specifically, the NIS Directive aims to safeguard the supply of essential services that rely heavily on IT, such as energy, transportation, water, banking, financial market infrastructures, healthcare, and digital infrastructure. Organisations in those sectors that are identified as operators of essential services (OESs) or digital service providers (DSPs) will be required to take appropriate security measures and comply with the incident notification requirements as set out by the NIS Directive.

Cybersecurity incidents affecting these suppliers of essential everyday services have the potential to cause significant damage to the economy, spread to other member states, or even cause loss of life. And the threat to OESs is increasing, with a wave of malware in 2017 specifically written to target operational technology (OT), supervisory control and data acquisition (SCADA), and industrial control systems (ICS). Take the Triton malware in December 2017, for example, which was designed to target and manipulate industrial safety systems by infecting a Windows computer that connects to an ICS.

The NIS Directive will apply to all OESs and DSPs from 9th May 2018, but member states will then have a further six months until 9th November 2018 to formally identify all OESs and DSPs in their country that are essential to the supply of electricity, water, digital infrastructure, healthcare, and transport.

In light of these new security and incident reporting requirements under the NIS Directive, businesses are advised to do a full risk assessment of their cyber resiliency, particularly their ability to detect and respond to cyberthreats.