EU NIS Directive to boost cyber security of essential infrastructure comes into force

Online marketplaces and search engines as well as energy, water and transport will be required to toughen up

It may be less well-known than GDPR but the EU directive on the security of Networks and Information Systems (NIS Directive) could be just as impactful in certain critical sectors.

The NIS Directive, which comes into effect on 10 May, concerns the security of nationally important infrastructure such as electricity and water supplies, transport and healthcare. It seeks to improve the security and resilience of these services by bolstering networks against cyber attacks.

The directive requires member states to have in place "a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority, or competent authorities", according to the website of lead agency the National Cyber Security Centre (NCSC).

In addition there should be cooperation between states to support the sharing of information about cyber attacks, and states must identify critical organisations or "operators of essential services (OES)".

"Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority," says the NCSC.

In the UK, the OES category is likely to include suppliers of drinking water; digital infrastructure; the health sector; air, marine, road and rail transport; cloud services; online market places and search engines according to the Government's consultation document. Sectors such as finance and civil nuclear are considered sufficiently protected by existing measures.

According to Charlie Wedin, cyber security expert at legal practice Osborne Clarke, the Directive is welcome and extremely timely.

"In recent years, the number of cyber attacks against national infrastructure has risen dramatically, and this demonstrates just how attractive these systems have become to malicious actors looking to target any vulnerable points in the system," he said.

"The consequences on society can be significant - preventing access to power, transport and emergency services. Recognising the importance of digital services in today's society, the Directive also applies to online marketplaces, search engines and cloud storage."

Wedin said to organisations falling within the scope of the Directive to "carry out a holistic evaluation of their technical and organisational measures to ensure the security of their networks and information. They should also test their security measures with realistic 'war game' simulations to proactively identify and rectify potential weaknesses."