With everyone’s minds focused on the upcoming GDPR deadline, EU members must not overlook the NIS Directive. EU member states must implement measures to comply with the NIS Directive before the 9th of May, 2018. So what are the biggest challenges to compliance with the directive?
What is the NIS Directive?
The NIS (Network Information Security) Directive was published and adopted July 6th, 2016 by the European Union in order to reinforce and standardize the security practices of the essential services industry. It went into effect in August of 2016 as the first-ever EU-wide cybersecurity legislation and gave member states 21 months to comply with its regulations. Historically, security requirements were defined independently and variably by each EU member state. This approach, however, impacts the IT security of the entire European Union is weakening its ability to respond to security incidents.
The NIS Directive was thus developed to improve this imbalance by creating consistency and defining a minimum level of security across all states of the EU. The Directive focuses primarily on essential services – such as utilities and transportation – considered crucial to the economic and political stability of the EU. The Directive defines Operators of Essential Services (OES) as sectors including energy, transportation, health, and finance. Data hosting services and online sites which deal with the passing of data such as search engines are also affected by the NIS Directive’s compliance requirements.
Challenges of NIS Directive Implementation
Security concerns are certainly quite varied and can differ greatly between essential service operators and digital. Regardless of structure, however, certain challenges remain the same:
Strengthening the stability of the EU and bringing uniformity to IT security policies requires the alignment of 28 member states under the same regulations as well as the oversight of the implementation of these policies in each country, an enormous task for governing bodies. To address these challenges, legislative acts (20), (22), (24) and (35) of the NIS Directive assist each member state to:
- Identify the OES and digital service providers to protect
- Understand their responsibility where an essential service is offered in multiple member states
- Initiate the first stages of communication, encouraging smooth and frequent cooperation between the private and public sectors, or digital providers and OES’s
Though supporting regular communication and facilitating the adoption of good security and incident management practices across multiple EU countries is important, it can be difficult without a clear communications policy. Coordination between member states and the EU authorities is essential to the NIS Directive’s success. Consequently, the Directive defined an organizational structure that designates key contributors at the state, European, and international levels (Figure 1). This structure clearly delineates the lines of communication to follow to respond to this undertaking.
At the national level, each EU member state must oversee the implementation of adequate security measures by their OES’s and service providers. These organizations are required to update and prove:
- The definition and implementation of a stable security policy adapted to their particular cybersecurity risks
- The implementation of technical and organizational security measures necessary for the protection of their services
- Regular evaluation of risks and threats to the stability and continued operation of their service
- Rapid notification and response to incidents (generally within 72 hours) with an understanding of the number of users affected, as well as the duration and severity of the incident
In addition to these requirements, the NIS Directive places additional restrictions on digital service providers. These organizations must, according to Article 16 paragraph (1), fulfill the following obligations:
- The security of systems and installations
- The management of incidents and continuation of services, specifying when possible: the number of users affected, the duration of the incident as well as its geographical span, the severity of its disruption to the operation of services, and its impact on economic and societal functions
- The monitoring, audit, and control of security practices in effect
- The respect of international laws and standards
The NIS Directive, therefore, covers a broad scope in order to ensure a 360° approach to security, accounting for prevention and reactivity in the face of detecting and managing security incidents.
The Role of PAM in Complying with the NIS Directive
PAM helps organizations comply with the NIS Directive and accompanies them in defining and enforcing security policies for the prevention, detection, and notification of incidents.
Privileged Access Management, or PAM, helps Operators of Essential Services (OES) and digital service providers to respond to the compliance regulations laid out by the NIS Directive. PAM accompanies them in defining and enforcing security policies for the prevention, detection, and notification of incidents.
Developed in order to protect equipment and resources targeted by both internal and external threats, PAM controls and traces all access and sessions by privileged users in the IT network, and provides administrators with security tools that are integral to the application of NIS regulations, such as:
- Complete visibility of all rights, access, and activities of users on the network
- Control and security of internal and external access to strategic systems and resources
- Real-time detection of malicious activity and complete session recording
- Traceability of logs to generate audit reports necessary for incident response
Want to learn more about the role of Privileged Access Management (PAM) in NIS Directive compliance? Get in touch or click below to read the complete white paper!