What is the NIS Directive?

The European Commission proposed the EU Network and Information Security Directive as part of the European Cyber Security strategy. The directive came into force on the 10^th of May 2018 with aim to increase the maturity level of cybersecurity across the state members of EU and ensure their strategic cooperation through Risk Management and Incident Reporting.

The Digital Security Authority (DSA) is the NIS authority of Cyprus which was established by Law 17(I)/2018 on the Security of Network and Information Systems. The DSA is the authority responsible for the transposition of the NIS Directive in Cyprus. As far as the NIS Directive is concerned, the DSA acts as the Single Point of Contact (SPOC), the National Competent Authority (NCA) and it incorporates the National CSIRT of Cyprus (CSIRT-CY).

Who is Impacted?

Operators of Essential Services (OESs)

OESs are public entities or private businesses that if their services were disrupted, would have a profound impact on the society or the economy.

• Healthcare
• Transport
• Energy
• Banking
• Financial Market Infrastructure
• Digital Infrastructure
• Water Supply

The OESs are highly dependent on technology, hence any malicious act can be proven disastrous for both economy and society. Serious incidents with significant impact should be reported to the relevant national authority without delay. Such operators must take appropriate security measures ensuring that the adequate controls and safeguards are in place. Moreover, it is important that they implement comprehensive security awareness programs as well as an information security management system. In case of a cyber incident it is also significant in understanding the total impact of the incident in terms of total duration, total number of affected users and total economic and societal impact, understand the root causes of incidents and how similar incidents can be mitigated or even prevented.

Digital Service Providers (DSPs)

DSPs as provided by the regulation are the below:

• Online search engines: A digital service that allows users to perform searches of websites on the basis of a query on any subject.
• Online marketplace: A digital service that allows consumers and/or traders to conclude online services or service contracts with traders.
• Cloud computing services: A digital service that enables access to a scalable and elastic pool of shareable computing resources

Key digital service providers will also have to comply with the security and notification requirements under the new Directive. It is essential for the DSPs to establish, implement, operate, monitor and maintain an appropriate level of security and assess the level of related risk on a regular basis. Moreover, it is a requirement to be able to identify trends or patterns in cyber security and understand the efficiency and effectiveness of the incident and the collaboration and information sharing mechanisms.

Requirements of the Directive

The Directive requires Operators of Essential Services (OESs) and Relevant Digital Service Providers (RDSPs) to:

Achieve the outcomes set by the 14 NIS principles, as shown below, by taking appropriate measures, technical and organizational, to manage the risk posed to the security of the network and information systems used.

Objective A: Managing Security Risk

1. Governance: Putting in place the policies and processes which govern your organisation’s approach to the security of network and information systems.
2. Risk Management: Identification, assessment and understanding of security risks as well as the establishment of an overall Organisational approach to risk management.
3. Asset Management: Defining all systems and/or services required to maintain or support essential functions.
4. Supply Chain: Manage the security risks to networks and information systems that derive from dependencies on external suppliers.

Objective B: Protecting Against cyber-attack 

5. Service Protection Policies and Processes: Defining and communicating appropriate Organisational policies and processes to secure systems and data that support the operation of essential functions.
6. Identity and Access Control: Understanding, documenting and controlling access to networks and information systems supporting essential functions.
7. Data security: Protecting e-transmitted or stored data from adversary actions that may cause an impact on essential functions.
8. System Security: Protecting critical network and information systems and technology from cyber-attack.
9. Resilient Networks and Systems: Building resilience against cyber-attack.
10. Staff Awareness and Training: Ensuring the organisation’s staff contributes sufficiently to the cyber security of essential functions.

Objective C: Detecting Cyber Security Events

11. Security Monitoring: Monitoring to detect possible security issues and track the effectiveness of existing security measures.
12. Proactive Security Event Discovery: Detecting anomalous events in relevant network and information systems.

Objective D: Minimizing the Impact of Cyber Security Incidents

13. Response and Recovery Planning: Implementing appropriate incident management and mitigation procedures.
14. Lessons Learned: Improving the resilience of essential functions by implementing the outcomes of lessons learned.

• Notify the competent authorities or the CSIRT of any incident that has an impact to the provided services with undue delay.

Consequences of non-compliance with the NIS Regulations

• Organisations that fail to comply with the regulation may led to major fines and other consequences, such as revenue loss and long-term reputational damage. 

What is needed to be done

• Identification of the security of the relevant network and information systems.
• Incidents that affect the continuity of the essential services provided must be reported without undue delay.
• Achieve the aforementioned 14 high-level principles set by NIS
• Compliance with International Standards.
• Compliance with the Cyber Assessment Framework that has been developed around the 14 principles and each principle has IGP (indicators of good practice). Competent authorities will use CAF as an auditing framework to measure compliance

How can we help?

Our Technology Risk team can support your organization in various areas such as:

• NIS Directive Readiness Assessment / Gap Analysis
• NIS Directive Implementation support via creating / or reviewing the respective Information Security Policies based on International Standards (e.g. ISO27001, PCI-DSS, NIST Cybersecurity Framework)
• Implementation of Business Continuity Plan / Disaster Recovery Plan
• Delivering Information Security and IT Risk Assessments to identify and help you address risks of the offered services.
• Conducting Penetration Tests to identify weaknesses and vulnerabilities of the Systems in-scope.
• Incident Readiness
• Digital Forensics and Incident Response (DFIR) for handling a Cybersecurity / Data Breach Incident.
• Security and Privacy Awareness Trainings
• Preparing the organization to be certified for ISO27001
• Conducting Information Systems Audits