UK Network Information Systems (NIS) Crib Sheet

What is it?

  • Stands for Network and Information Systems Directive.
  • A cybersecurity law aimed at protecting essential services from cyber threats.
  • Applies to operators of essential services (OES) and digital service providers (DSPs) across sectors like energy, health, transport, and finance.

Key Goals

  1. Strengthen cybersecurity for critical infrastructure and services.
  2. Prevent and respond to cyber incidents that could disrupt essential services.
  3. Encourage collaboration between organizations and government.

Who’s Covered?

  1. Operators of Essential Services (OES):
    • Energy, healthcare, transport, water, finance, and digital infrastructure companies.
  2. Digital Service Providers (DSPs):
    • Online marketplaces, search engines, and cloud service providers.

Key Requirements

  1. Implement Security Measures:

    • Take reasonable steps to prevent cyber threats (firewalls, encryption, etc.).
  2. Incident Reporting:

    • Notify the authorities about significant security incidents ASAP (usually within 72 hours).
  3. Risk Management:

    • Regularly assess and manage risks, not just tech but people and processes too.
  4. Cooperation with Authorities:

    • Share relevant info with the National Cyber Security Centre (NCSC) and follow their guidelines.

Incident Reporting Basics

  • Report incidents that disrupt essential services or compromise data security.
  • Threshold: Impact on customers or systems? It needs reporting.
  • Timing: 72 hours to notify authorities.

Fines

  • Non-compliance can lead to fines of up to £17 million or 4% of global turnover (whichever is higher).

Practical Steps

  • Strengthen cybersecurity: Firewalls, monitoring tools, encryption, regular updates.
  • Incident response plans: Have a clear protocol for when something goes wrong.
  • Collaborate: Work with the NCSC and other bodies to stay compliant.
  • Train your team: Everyone needs to know how to spot and respond to threats.