What do the NIS regulations mean for organisations?
The Network and Information Systems (NIS) Regulations came into effect on 10 May 2018. Their aim is to improve both the cyber and physical resilience security of network and information systems for providers of essential services in the UK.
These systems are vital for digital services, such as online search engines and cloud computing, as well as essential services, such as transport and energy.
Our partner and information law specialist, Andrew Hartshorn, gives his insights on what the regulations mean for organisations:
What challenges do the rules present?
“Understanding how the rules will alter the practices of the organisation is the first concern of any company. For example, the response of each of the Competent Authorities created under the NIS regulations, is different so consistency of rule interpretation is not guaranteed.
“An OES (Operator of Essential Services) must understand the possible risks to their networks and information systems. Vulnerability issues are not limited to an organisation’s own systems, but their supply chain systems too to the extent that they are reliant on them. It is vital that this is considered.
“Any changes to networks and information systems should be looked at in terms of risk. Data, including sensitive data, flows inside and outside organisations. Therefore, it must be appropriately protected. If GDPR is anything to go by. the more that companies look into their systems and processes, the more issues they find.”
How have organisations responded to the rules?
“No official responses have emerged from the public domain, but responses will vary across sectors, due to the different approaches the regulators take.
“In particular, the energy sector is taking the regulations very seriously. OES were required by Ofgem to undertake self-assessment activities by 15 February. Any necessary self-improvement plans are to be submitted by 30 April. On the other hand, Ofcom has issued interim guidance, but has not explained how the rules will be applied.”
Where could organisations struggle to comply?
“Pulling the sheer amount of information together about data flows will be a struggle for some. As well as this, understanding how sub-contractors and supply chains can expose vulnerabilities could be difficult.
“Employee bases must also understand the implications of the regulations in order to fully comply. This does not happen overnight.”
What should organisations do to ensure they are lawful?
“Ongoing monitoring of infrastructure, processes and supply chain by OES is needed in order to ensure compliance.
“As soon as possible, energy suppliers should be updating all the relevant processes, procedures and policies to fit with the regulations, with employee training programmes complementing this. Ideally, a C-suite level individual should take on the task of ensuring compliance.
“Much like GDPR compliance, all organisations should use data protection impact assessments to assess both personal and general data security. If this is done, the compliance process will be made much easier.”