Move Over GDPR, NIS is the Gorilla in the Room

Move Over GDPR, NIS is the Gorilla in the Room

The new acronym has a far greater impact for cybersecurity than the privacy focused GDPR act.

The legislative armageddon known as the General Data Protection Regulation or GDPR is fast approaching this May with the financial consequences for non-compliance (up to 4 percent of worldwide total) causing a fair amount of justified alarm.

But however important that new legislation is, another critical and impactful legislation that some say will have even greater impact is on the horizon, especially in the realm of cybersecurity. That law is The Network and Information Security (NIS) Directive which has as its focus securing critical infrastructure and creating a regulatory climate that creates urgency for cybersecurity defences. In particular, The NIS Directive aims to improve cybersecurity in three areas:

  1. National cybersecurity capabilities of the individual EU countries (e.g. they must have a national CSIRT, perform cyber exercises, etc.)
  2. Cross-border collaboration between EU countries (e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.)
  3. National cybersecurity oversight of the critical sectors,ex ante for operators in critical sectors (energy, transport, water, health, finance, etc.) and ex post for critical digital service providers (internet exchange points, domain name systems, etc).

In many ways, these directives have been fragmentarily taken up by most countries. But as the May 9th deadline looms, more and more countries and industrial sectors gear up for PoCs and deployments to make themselves ready and compliant. The Netherlands, for instance, has already been vigorously meeting deadlines to start as of January, 2018. And because of its emphasis on cross border information sharing and solutions, many sectors are seeing benefits. Banking is one (as in the case of DDoS attacks that force discussions with telecom operators who need better spoofing filtration) but there are other cross fertilisations that will grow. As Marnix Dekker, security expert from ENISA writes in, “Another cross-sector issue, and a growing concern in cybersecurity, is the emergence of circular dependencies between different critical sectors. For example, energy companies rely more and more on telecoms’ infrastructure and digital services for their operations, which in turn rely heavily on the power grid. Short disruptions of power supply can be overcome with batteries or diesel-powered generators, but during large disruptions, batteries and fuel run out. If one power plant blacks out, the rest of the grid can become unstable.

Blackouts in one country can quickly spread across to other countries. So to avoid a cascading effect it is necessary to arrange for priority truckloads with diesel fuel to refurnish critical data centres and telecom sites. This means a third critical sector (transport) comes into play, which, as we know, is also increasingly dependent on telecom and digital services.” Such scenarios are just some of the complex ecosystems that cybersecurity will be called into play to protect as NIS demands a battle hardened and resilient set of defences that create compliance.