The NIS Directive was adopted by the EU parliament on 6 July 2016 and entered into force in August 2016. The Member States had up to 9 May 2018 to transpose the directive into their national laws.
The NIS Directive applies to entities active in sectors which are vital for the economy and society and are heavily relying on IT systems, such as digital infrastructure, financial service providers, energy, banking, healthcare, transport and water. These entities are named Operators of Essential Services (OES) and were required to be identified by the individual Member States before 9 November 2018. The NIS Directive however also applies to Digital Service Providers (DSPs). A DSP is an organization that delivers cloud services as well as services like search engines and online market places. It is up to the EU Member States to define the criteria for a DSP to comply; and it is up to a DSP to determine if and how they have to comply to this directive. But the directive also states that the impact of a cyber incident on their clients also has to be taken into account. It is expected that the market of the DSPs will have a major influence on the DSPs to comply.
The NIS Directive requires entities to implement appropriate security policies and measures in line with the cyber security risks and the possible negative effects on their clients and society. Guidelines regarding cyber security policies and measures are given, for example, by the European Network and Information Security Agency (ENISA), the National Cyber Security Centers or National Competence Authorities. Regulators can enforce insight in the implemented security measures, evidence of the effectiveness of security policies and the result of security audits. The regulators have the right to require an external and independent audit in regards to cyber security.
The NIS Directive states that the responsibility to determine penalties for non-compliance lies with the individual Member States. The Directive does, however, state that penalties must be “effective, proportionate, and dissuasive.”
Another aspect of the NIS Directive includes an incident notification procedure. Relevant cyber security incidents have to be reported to the appropriate National Authorities. In most countries this will be the National Cyber Security Center (NCSC) or their Computer Security Incident Response Team (CSIRT) and Sectoral Regulators. This approach can differ per country.
In general the OESs and DSPs have a double cyber incident notification obligation. An OES has to inform their national sectoral regulator and their NCSC. A DSP has to inform their sectoral regulator and the CSIRT about a cyber security incident.
At this moment not all of the EU Member states reached the deadline of 9 May 2018 to transpose the NIS Directive in their national laws. It is expected that most countries will finalize the transposition by the end of 2018.
For auditors and especially IT auditors it is recommended to pay attention to the requirements of the NIS Directive and to take notice of the guidance and recommendations regarding cyber security by ENISA, the local NCSCs and the local sectoral regulators in charge of the enforcement of this law.
For companies it is recommended to determine whether or not compliance to the NIS Directive is necessary and to assess if cyber security measures are up to the required standards and if additional or improved measures are necessary. Mazars help companies with compliancy to the NIS Directive and to assess if cyber security measures are up to the required standards and if additional or improved measures are necessary.
The NIS Directive: https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive
Information about ENISA: https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/cii/nis-directive
State of transposition of the Directive per EU Member State: https://ec.europa.eu/digital-single-market/en/state-play-transposition-nis-directive