UK Network Information Systems (NIS) Crib Sheet
What is it?
- Stands for Network and Information Systems Directive.
- A cybersecurity law aimed at protecting essential services from cyber threats.
- Applies to operators of essential services (OES) and digital service providers (DSPs) across sectors like energy, health, transport, and finance.
Key Goals
- Strengthen cybersecurity for critical infrastructure and services.
- Prevent and respond to cyber incidents that could disrupt essential services.
- Encourage collaboration between organizations and government.
Who’s Covered?
- Operators of Essential Services (OES):
- Energy, healthcare, transport, water, finance, and digital infrastructure companies.
- Digital Service Providers (DSPs):
- Online marketplaces, search engines, and cloud service providers.
Key Requirements
Implement Security Measures:
- Take reasonable steps to prevent cyber threats (firewalls, encryption, etc.).
Incident Reporting:
- Notify the authorities about significant security incidents ASAP (usually within 72 hours).
Risk Management:
- Regularly assess and manage risks, not just tech but people and processes too.
Cooperation with Authorities:
- Share relevant info with the National Cyber Security Centre (NCSC) and follow their guidelines.
Incident Reporting Basics
- Report incidents that disrupt essential services or compromise data security.
- Threshold: Impact on customers or systems? It needs reporting.
- Timing: 72 hours to notify authorities.
Fines
- Non-compliance can lead to fines of up to £17 million or 4% of global turnover (whichever is higher).
Practical Steps
- Strengthen cybersecurity: Firewalls, monitoring tools, encryption, regular updates.
- Incident response plans: Have a clear protocol for when something goes wrong.
- Collaborate: Work with the NCSC and other bodies to stay compliant.
- Train your team: Everyone needs to know how to spot and respond to threats.