- General Introduction
- What does the NIS Directive cover and when will it be implemented into UK law?
- Essential Services: Who does the NIS Directive apply to?
- The NCSC role in the implementation of the NIS Directive
- How our guidance is intended to be used – the outcome based approach
- The relationship between NCSC and Competent Authorities
The UK will be implementing the EU directive on the security of Networks and Information Systems (known as the NIS Directive). Network and information systems and the essential services they support play a vital role in society, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. Their reliability and security are essential to everyday activities.
The EU recognised that any cyber security incident could affect a number of Member States and in 2013 put forward a proposal to improve the EU’s preparedness for a cyber attack. This proposal became a directive in August 2016, giving Member States 21 months to embed the Directive into their respective national laws.
As we have seen from numerous cyber security incidents these systems can be an attractive target for malicious actors, and they can also be susceptible to disruption through single points of failure. Incidents affecting any of these systems could cause significant damage to the UK’s infrastructure, economy, or result in substantial financial losses. The magnitude, frequency and impact of network and information system security incidents is increasing. Events such as the 2017 WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine’s electricity network clearly highlight the impact that incidents can have.
There is therefore a need to improve the security of network and information systems across the UK, with a particular focus on essential services which if disrupted, could potentially cause significant damage to the economy, society and individuals’ welfare.
2. What does the NIS Directive cover and when will it be implemented into UK law?
The NIS Directive aims to raise levels of the overall security and resilience of network and information systems across the EU. The Directive provides the legal footing to:
- Ensure that Member States have in place a national framework so that they are equipped to manage cyber security incidents and oversee the application of the Directive. This includes a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority, or competent authorities.
- Set up a Cooperation Group among Member States to support and facilitate strategic cooperation and the exchange of information. The Member States will also need to participate in a CSIRT Network to promote swift and effective operational cooperation on specific network and information system security incidents as well as sharing information about risks.
- Ensure that organisations within vital sectors which rely heavily on information networks, for example utilities, healthcare, transport, and digital infrastructure sectors, are identified by each Member State as “operators of essential services” (OES). Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority. The participation of industry is therefore crucial in the implementation of the directive.
The deadline for member states transposing the Directive into domestic legislation is 9 May 2018. The UK Government undertook a Public Consultation during the summer of 2017 to seek views from industry, regulators and other interested parties on the Government’s plans to transpose the Directive into UK legislation. It set out the Government’s proposed transposition approach and asked a series of questions on a range of detailed policy issues relating to transposition. The Government’s Response to the Consultation provides more detail on the revised approach to implementation and what can be expected during the initial phases.
3. Essential Services: Who does the NIS Directive apply to?
Companies and organisations identified as either operators of essential services (OES) or Competent Authorities (CAs) are primarily involved. The criteria for identifying OES and the list of CAs in the UK can be found within the government response to the consultation.
Some sectors are exempt from some aspects of the Directive where there are provisions within their existing regulations which are, or will be, at least equivalent to those the NIS Directive specifies (eg finance and civil nuclear sectors). The technical guidance we produce will be widely applicable, and all sectors should take note of it.
4. The NCSC role in the implementation of the NIS Directive
The NCSC is providing technical support and guidance to other government departments, Devolved Adminstrations, CAs and OES through:
- a set of cyber security principles for securing essential services
- a collection of supporting guidance
- a Cyber Assessment Framework (CAF) incorporating indicators of good practice
- implementation guidance and support to CAs to enable them to:
- adapt the NCSC NIS principles for use in their sectors
- plan and undertake assessments using the CAF and interpret the results.
NCSC has the following three roles in support of the NIS Directive:
- Single Point of Contact (SPOC) – we’ll act as the contact point for engagement with EU partners on NIS, coordinating requests for action or information and submitting annual incident statistics.
- CSIRT (Computer Security Incident Response Team) – incidents that are believed to be reportable under the NIS Directive should be reported to the appropriate Competent Authority. Where they are identified or suspected of having a cyber security aspect the operator should also contact NCSC for advice and support on these aspects.
- Technical Authority on Cyber Security – the NCSC will support OES and CAs with cyber security advice and guidance and act as a source of technical expertise. We may work with OES and CAs to tailor some generic guidance to individual sectors if necessary.
NCSC will have no regulatory role in NIS.
5. How our guidance is intended to be used – the outcome based approach
The implementation of the NIS Directive is an opportunity to put mechanisms in place that drive real improvements to national cyber security. NCSC is committed to working constructively with CAs and OES to help ensure that NIS regulatory requirements are defined and used to promote and support effective cyber risk management. This objective has shaped the NCSC approach throughout.
While recognising the risk of over-simplifying a complex subject, there are two basic approaches available when aiming to drive change towards a recognised desirable end-state. The first approach is to create a set of prescriptive rules that, if closely followed, will result in achieving the desirable end-state. The second approach is to define a set of principles that, if consistently used to guide decision-making, will collectively result in the desirable end-state. Much has been written about the advantages and disadvantages of the two approaches, but it is the NCSC view that the principles-based approach is more effective as a way of driving improvements to cyber security in the context of the NIS Directive.
To work well, a set of prescriptive rules needs to cater for all eventualities. When this is possible, and the rules are followed, the approach can deliver what is required. However, in complex topic areas and rapidly changing circumstances, it may be impossible to cater for all eventualities. In such cases, which include cyber security, all attempts to devise and apply a set of prescriptive rules is almost certain to lead to unintended consequences, resources being badly misallocated, and limited benefit.
While it is not possible to devise an effective set of prescriptive rules for good cyber security, it is possible to state a set of principles as a guide to cyber security decision-making. NCSC has developed such a set of principles for the implementation of the NIS Directive.
The NIS cyber security principles define a set of top-level outcomes that, collectively, describes good cyber security for operators of essential services. Each principle is accompanied by a narrative which provides more detail, including why the principle is important. Additionally, each principle is supported by a collection of relevant guidance which both highlights some of the relevant factors that an organisation will usually need to take into account when deciding how to achieve the outcome, and recommends some ways to tackle common cyber security challenges.
Some organisations may be concerned that the principles and guidance are too vague. It is important to recognise that the NCSC intent is not to produce an all-encompassing cyber security “to do” list – an unachievable goal in any case. Organisations understand their own business better than any external entity, and should be capable of taking informed, balanced decisions about how they achieve the outcomes specified by the principles. NCSC expects the principles and guidance to be used in the following way by operators of essential services:
1. Understand the principles and why they are important. Interpret the principles for the organisation.
2. Compare the outcomes described in the principles to the organisation’s current practices. Use the guidance to inform the comparison.
3. Identify shortcomings. Understand the seriousness of shortcomings using organisational context and prioritise.
4. Implement prioritised remediation. Use the guidance to inform remediation activities.
6. The relationship between NCSC, Competent Authorities and Operators of Essential Services
While the implementation of the NIS Directive will significantly expand the scope of cyber security regulation in the UK, it will not fundamentally alter the role of NCSC (although we will be taking on the formal roles of CSIRT and Single Point of Contact within the national framework). The key point is that regulatory responsibilities under NIS will be carried out by the new Competent Authorities (CAs), not NCSC. Within the general UK cyber security regulatory environment, including NIS, NCSC’s aim is to operate (as now) as a trusted, expert and impartial advisor to all interested parties.
To help ensure that the Directive delivers the intended improvements in cyber security, NCSC will be supporting the NIS CAs in a number of specific ways. For example, we will assist NIS CAs by developing cyber security standards and guidance, and by helping them build their internal cyber security expertise through accessing suitable training.
However, some important constraints will govern how NCSC works with CAs, in order to maintain the benefits that result from the open and collaborative relationship NCSC enjoys with most of the organisations that fall under the scope of NIS. There will be strong restrictions on the type of cyber security information that NCSC shares with the CAs, and those restrictions will be designed to address concerns about how information considered sensitive by industry and other organisations is handled in the NIS regulatory environment. And, while NCSC will be advising the CAs on how to do cyber security assessments against the NIS standards, we will not be undertaking regulatory assessments on behalf of the CAs.
More detail about how NCSC works with NIS CAs will be made available when the CAs have been fully established.