Hurdles in the Adoption of the EU NIS Directive

Those who have long-awaited a ‘stick’ to improve the cyber resilience of Operational Technologies (OT) will have celebrated the inception of the EU Network and Information Systems Directive (NIS), which seeks to protect critical national infrastructure assets. The breach reporting and penalty mechanisms are the same as for GDPR, so that CNI organisations that experience Business Interruption will suffer fines of up to £17m or 4% of global turnover (whichever is the greater), depending upon the level of cyberattack protections they had in place. However, there are still some hurdles, which may obstruct aspirations for early NIS enactment.

1. The National Cyber Security Centre (NCSC) has delegated the NIS oversight and auditing role to Competent Authorities (CAs). This will extend the role of existing Industry Regulators, who are not yet trained in Cyber Security. However, this does mean that Regulators, who understand their sector, will be keen to ensure appropriate cyber resilience is achieved.
2. Unlike the Information Commissioner’s Office (ICO) which has pre-existing governance and resources to broadcast, orchestrate and implement the transition from Data Protection of Personal Information, to the wider General Data Protection Regulations (GDPR); few such preparations have been laid for the NIS Directive and no-one is yet clear who will investigate breaches or service failings.
3. Operators of Essential Services (OES) have largely not heard of NIS and where they have, the information has been circulated at Cyber Security teams rather than at Board levels, where the investment in Cyber Security for Operational Technology will need to be made.
4. Indeed, Executive level Board members do not understand the differences between OT and IT and are generally comforted that their Cyber Security risks are understood and well managed, not recognising that this only covers part of the domain.
5. They might hear a different story from their Operational Technology managers, who principally are derived from the Engineering teams and who tensely defend their OT from the keen rounds of patching that their Cyber colleagues promote. However, the OT Engineers do not have the same access to the Board and in many cases do not have a good understanding of cyber risks themselves.
6. In the meantime, the Industrial Control Systems that have long been managed in obscurity, are gradually becoming converged with IT systems and networks, making their obsolescence vulnerabilities acutely visible to those that might want to attack them. Even after the impacts of Wannacry, the NHS admits that their OT systems have not been made Cyber resilient, many not yet achieving Cyber Essentials accreditation.

But all is not lost. The NIS Directive applies personal liabilities to CNI Board level directors. Previously these liabilities have been covered by insurance premiums, but insurance companies are becoming more inclined to understand how organisations are managing their cyber risks and less inclined to simply pay out on demand. Watch out for the Insurance Industry, who may soon become champions of the EU NIS Directive implementation.