This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Taking the EU cyber security Directive seriously

19 July 2019

The EU’s NIS Directive (Directive on security of network and information systems) is the first piece of EU-wide cyber security legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure. The Directive was enacted into UK law on 10 May 2018, and fines of up to £17 million can be levied on companies found to be in contravention.

Image: Shutterstock
Image: Shutterstock

The UK regulations provide legal measures to boost cyber and physical security of network and information systems critical for the provision of digital and essential services. So-called critical national infrastructure include the energy, transport, water, chemical and various process sectors in addition to health.

Organisations within these sectors must secure their network and information systems by taking technical and organisational measures appropriate to the risk.

This includes ensuring service continuity by taking measures to prevent and minimise the impact of any incidents; and notify regulators of any security incident that has a significant impact.

Compliance with the NIS Regulations will be monitored through audits and investigations conducted by the designated competent authorities.

The CAF (Cyber Assessment Framework), developed by the NCSC (National Cyber Security Centre), provides guidance for organisations to assess themselves against 14 security principles and outlines the acceptable levels of security for organisations under the Regulations’ requirements.

At a minimum, board members need to take the following measures:  
*  Security awareness – encouraging all employees to notice variations in machine behaviour and report these
*  Risk analysis around I/T and O/T systems – checking security controls and updates before introducing new systems promising to monitor all devices or boost productivity
*  Understand the nature of specific cyber threats to the business – third party equipment and staff’s personal USBs may present a more genuine security threat than hostile states or hackers
*  Segregation of systems – as many manufacturing firms have grown through acquisitions and mergers and operate with varied IT and OT systems
*  Good understanding of penetration testing and its application – checking physical as well as cyber security against intruders

While the largest international companies have quickly adapted to the connected world thanks to abundant resources of finance and skilled personnel, cyber security is a more daunting prospect for smaller enterprises. Nevertheless, information security specialists are available to provide all the necessary support - surely a better use of resources than paying a large fine.


Print this page | E-mail this page