The EU Network and Information Security (NIS) Directive was adopted by the European Commission in 2016 and focused on establishing comprehensive cybersecurity regulations across the European Union. The NIS Directive is a robust piece of legislation enforced by local laws within each member state, working alongside other EU-wide regulations like the GDPR and the Digital Operational Resilience Act (DORA).
The NIS Directive applies to Digital Service Providers (DSPs) and Operators of Essential Services (OES). Relevant digital service providers include services like online search engines, cloud computing services, and online marketplaces. On the other hand, OES provide critical infrastructure services that, if disrupted, could significantly impact individuals and the community.
Many member states provide individual NIS Compliance Guidelines for OES in their respective states. In this blog, we’ll explore general NIS Compliance Guidelines for OES and how they work towards enhancing cybersecurity for critical infrastructure for the European Union as a whole.
Upgrade your organization’s cybersecurity with UpGuard >
Understanding NIS Compliance Guidelines for OES
While the NIS Directive provides cybersecurity standards across the European Union, each member state must transpose them into local legislation. During the implementation process, many states drafted compliance guidelines to help organizations that must be NIS-compliant understand the new requirements.
A member state’s National Cyber Security Centre (NCSC) typically publishes NIS Compliance Guidelines for OES that outline all of the new requirements and provide practical guidance regarding compliance. The guidelines allow organizations of any size or level of cybersecurity risk to implement good practices and improve their security and cyber resilience.
Security Requirements for OES
NIS Regulations outline network and information security obligations for OES. The NIS Compliance Guidelines for OES explain these in detail, including that operators of essential services must:
- Take necessary technical and organizational measures to manage security risks of network and information systems used in operations.
- Implement measures that prevent and reduce the impact of security incidents on the network and information systems used to provide those services, ensuring business continuity management.
Principles of Network and Information System Security
Since OES can include organizations with little to no cybersecurity experience, the NIS Compliance Guidelines for OES also outline general principles for the security of network and information systems.
When implementing cybersecurity measures, OES should take the following principles into account, ensuring measures should be:
- Effective: Measures should increase the cybersecurity posture of an OES in the current and future threat landscape.
- Tailored: Measures should be tailored to have the most impact in enhancing the security of an OES.
- Compatible: Measures should be able to address vulnerabilities across sectors and complement with sector-specific security measures.
- Proportionate: OES should implement proportionate security measures, emphasizing protecting systems that support essential services.
- Easy to Understand: Measures should be digestible and easy to follow so they can be implemented in full and enhance the cybersecurity posture of an OES.
- Verifiable: Measures should be able to provide the authorities with evidence of practical implementation.
- Inclusive: Measures should apply to all five themes (Identify, Protect, Detect, Respond, Recover)
NIS Guidelines for Security Requirements
The NIS Compliance Guidelines for OES includes a section on general guidelines for security requirements. The following five phases are the core themes of the NIST Cybersecurity Framework and internationally accepted standards relevant to network and information systems security.
- Identify: During this phase, OES determines the business context and resources that support critical functions, as well as related cybersecurity risks, which will allow the organization to allocate its efforts and resources more effectively. This includes asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management.
- Protect: OES must develop and implement security policies that protect critical elements (data, personnel, systems, devices, facilities, etc.). This includes identity management, authentication and access control, awareness and training, data security, service protection policies, penetration testing, and data protection technology.
- Detect: In a cybersecurity event, OES should be able to detect and defend against any efforts to affect essential services. These include anomaly and event detection, staff awareness, security continuous monitoring, and detection processes.
- Respond: OES should develop measures to contain and minimize the impact of a potential cybersecurity event. These measures include response planning, communication, analysis, mitigation, and improvements.
- Recover: OES must create a plan to restore essential services affected by a cybersecurity incident. Measures within that plan can include recovery planning, improvements, and communications.
Incident Notification
The NIS Regulations require all OES to notify the computer security incident response team (CSIRT) of any cybersecurity incidents that may significantly impact essential services.
- Notify: OES must notify the CSIRT of cybersecurity incidents that significantly impact essential services no later than 72 hours after the incident. Once resolved, the OES must notify the CSIRT again.
- Impact: OES should determine the impact of the incident by identifying the number of users affected by the service disruption, the duration of the incident, and the geographical spread of the incident.
- Information: Incident notifications must include the following information: the operator’s name, sector category (include subsector and essential service if applicable), time of the incident, duration of the incident, local impact and any cross-border impact of the incident, and any other relevant information the CSIRT could use.
- Procedure: Common reporting procedures involve incident reporting through an online portal.
Who Must Comply with NIS Guidelines for OES?
NIS Guidelines for OES are specific to operators of essential services but can be broadly applied to organizations across various infrastructure sectors. However, OES must adhere to the regulations outlined in the NIS Directive, and implementing a cyber resilience program that aligns with international standards is a comprehensive way for OES to meet NIS regulatory compliance.
Operators of Essential Services
Organizations crucial to the functioning of important societal or economic activities are called Operators of Essential Services (OES). These operators are responsible for managing infrastructure, services, or facilities that, if disrupted, could have a significant impact on citizens' health, safety, security, economic well-being, or the efficient functioning of governments or the economy.
The NIS Directive identified several sectors as Operators of Essential Services, as these organizations are particularly susceptible to network and information system failures or cyber-attacks. The following are some of the sectors that are commonly classified as essential services under the NIS Directive:
- Energy: Electricity suppliers, oil and gas production/distribution, nuclear facilities
- Transport: Airports and airlines, ports, railway infrastructure
- Banking and Financial Market Infrastructure: Credit institutions, stock exchanges, settlement services
- Healthcare: Hospitals, emergency services, blood banks
- Water Supply: Drinking water supply and distribution
- Digital Infrastructure: Internet exchange points (IXPs), domain name system (DNS) providers, top-level domain (TLD) name registries
Outside these categories, other OES can include civil administration, food production and distribution services, and telecommunication networks.
Penalties for Non-Compliance
The NIS Compliance Guidelines do not specify any penalties for non-compliance with their guideline framework. Still, OES that do not comply with the NIS Directive face penalties often outlined individually by each member state.
Different types of infringements result in various penalties, including not reporting security incidents within the designated timeframe and failing to implement proper security measures. Penalties can range from fines to business restrictions, and the infringement's severity determines the punishment level.
Member states define their individual penalties, which include fines up to the greater of €10,000,000 or 2% of the global yearly revenue. Under the updated NIS2, fines can reach up to €7,000,000 or 1.4% of the annual global revenue, with the higher amount being applicable.
National Competent Authorities
The NIS Directive allows member states to designate two National Competent Authorities that act as points of contact to review the application of regulations and ensure compliance with the directive.
National Competent Authorities can seek information from OES and carry out audits for compliance, including the Cyber Assessment Framework (CAF). NCAs also appoint officers to ensure compliance with OESs and issue compliance notices when an OES does not comply with NIS regulations.
Keep Your Organization Secure with UpGuard
If your organization operates an essential service or is just looking to upgrade your cybersecurity standards, UpGuard is here to help. Our all-in-one attack surface management tool, BreachSight, keeps your assets monitored and protected.
UpGuard BreachSight keeps you one step ahead with continuous monitoring, protects your digital assets with comprehensive data leak detection, and allows you to address potential cyber threats quickly. With additional features like attack surface reduction, shared security profiles, insight reporting, and more—BreachSight is a valuable tool that measures and manages the overall external security of your company.