MORE LIKE GDPR
GDPR has got a lot of expositor since it was introduced in 2016 especially because of the high fine’s companies could get if they did not comply with the new rules.
On 6 July 2016, the European Parliament also adopted Directive 2016/1148, to ensure a high common level of security for network and information systems throughout the Union.
THE NIS DIRECTIVE
The purpose of the Directive, referred to as the NIS Directive, is to harmonize and tighten the rules concerning security by imposing new security requirements for state critical network and information systems providers (this also include financial institutions).
The new EU directive was ratified by Danish law in May 2018 (Network and Information Security Act for Domain Name Systems and Certain Digital Services).
SAFETY FIRST
The new legislation aim is to strengthen the protection of critical infrastructure and to force several organizations – including some utilities companies – to have greater focus on IT security and risk management. They will be forced to optimize their risk management and to document and implement risk management into their business procedures. An operator of essential services has now a duty to take appropriate action in managing risks to secure the network and information systems which are used.
REPORTING OBLIGATIONS
Both operators of essential services and digital service providers have in addition, the duty – as soon as possible – to notify the relevant authority and the Center for Cyber Security about events that are expected to have a major impact on the services they are providing.
DERIVATIVE IMPACTS OF OTHER ORGANIZATIONS
The law states that the responsibility for ensuring the security of information systems is located at the operator or provider itself and it implicates also that other organizations involved cannot avoid being affected by the rules.
It is important to state that the operator or provider in the future must also ensure that their suppliers maintain a comparable level of security for operational deliveries. The operator or the provider must relate to the entire supply chain, including the security associated with third-party suppliers and subcontractors to ensure an adequate level of security for their deliveries.
That means that the new requirements of NIS legislation become relevant for all actors, providing services to organizations covered by the rules. In general, this law makes it bit more complicated for both public and financial institutions to outsource their services to third parties.
Both public and private actors must take into consideration to which extend their suppliers of e.g. cloud services are subject to NIS legislation and they must secure that the appropriate directive is built into tender and new contracts on all levels in the supply chain.
NIS VERSUS GDPR
NIS legislation shares similarities with the data protection rules that also requires notification for security breaches, risk analysis and the introduction of appropriate technical and organizational measures to ensure an appropriate level of security regarding risks related to personal data.
However, the requirements of NIS legislation go further than the requirements of data protection legislation, because the NIS requirements also includes information systems and networks, even if they are not used to process personal data.
INTERNATIONAL SECURITY STANDARDS
International standards such as ISO 27001 and ISO27035 serve as ideal frameworks for achieving the need compliance. Actually the regulations states the operators or providers must take “compliance with international standards” into account.
Just that you don’t forget !