from the article « TOUT SAVOIR SUR LA DIRECTIVE NIS » of Bilal Echoui and François Herder by Amin Abdelkefi
What is the NIS Directive?
With the aim of establishing a reliable and secure digital environment in Europe, the European Parliament and the European Union adopted the Network and Information Security (NIS) Directive on 6 July 2016.
This directive defines a set of network and information security requirements that apply to “Digital Service Providers” (DSPs) and “Operators of Essential Service” (OESs). This directive concerns companies in the energy, transport, banking, financial markets, health, drinking water distribution and digital infrastructure sectors. Companies that are not included in this scope will be able to take note of it if their suppliers and partners are affected by these obligations.
What is at stake?
The European NIS Directive highlights 4 major issues:
What should companies do, specifically?
Stakeholders affected by the NIS Directive must, as part of their projects to comply and improve their overall security, implement 5 key measures:
What are the limitations of the NIS Directive?
Nevertheless, the decree leaves some grey areas. We can highlight:
- The list of IS not subject to mapping and declaration
- The depth and duration of annual audits
- The acceptable level of alerts
Some measures of the NIS Directive may already be defined in other reference systems. It is therefore necessary to adapt them according to the environment and the information system, but they should not be weakened in any way. For example, the governance aspect already imposed by the HAS (Haute Autorité de Santé – French National Authority for Health) certification, the obligation to report incidents or the reporting of indicators.
Link with other Frameworks
The Directive encourages the use of European or international standards and specifications for the security of networks and information systems.
Compliance with the NIS Directive can be achieved by adopting an integrated management system, incorporating ISO 27001 and ISO 22301. It helps an organization to achieve an internationally accepted posture of cyber resilience based on good risk management practices.
Moreover, the NIS Directive is directly inspired by the Military Programming Law (LPM). It intends to introduce on a European scale provisions similar to those foreseen for Operators of Vital Importance (OVI) by the LPM. This is to protect the most sensitive information systems. However, the list of companies concerned by the NIS Directive will be more extensive and only financial penalties are provided for in the event of non-compliance. These penalties, applied in the form of fines, will vary between €75,000 and €125,000, depending on the type of breach.
For OVI already subject to the LPM compliance obligation, the NIS Directive will bring some additional rules related to physical and environmental security.
Compared to the MPL, the deadlines for implementing the rules imposed by the NIS Directive are public and . Below is an indication of deadlines for some of the rules to be implemented:
- Identification of a person responsible for representing it to the National Agency for the Security of Information Systems (ANSSI) within two months.
- Establishment of a list of the networks and information systems necessary for the provision of essential services within three months.
Beijaflore’s approach, success story presentation
In a context similar to that of the NIS Directive, Beijaflore has helped organizations from different sectors to bring their Information Systems of Vital importance into compliance with the Military Programming Law. Particularly, by establishing a strategic plan including a budget estimation, compliance certification (writing of procedures, mapping, compliance certification strategy) and by helping with the management of cybersecurity incidents under the LPM.