New NIS directive “hugely encouraging”
The Network and Information Security (NIS) Directive, a set of measures from the Department for Digital, Culture, Media and Sport (DCMS) which aim to protect the nation’s critical infrastructure and digital services from cyber attacks and computer network failure, has entered into force.
The new rules, which translate the current EU Directive into UK Law, will apply to roughly 600 organisations across the drinking water supply and distribution, digital infrastructure, energy, health and transport sectors, and digital services including cloud providers.
While fines of up to £17 million loom for cyber breaches, the Government has been clear that it considers them to be a last resort that will not apply to those organisations which have assessed the risks adequately, taken appropriate security measures and engaged with regulators.
The UK Government and its regulators have indicated that there will be reasonable expectations of compliance; the stated ambition for the first year of the NIS Directive is to develop a clear picture of the UK critical national infrastructure’s network and information system security .
Organisations are expected to invest up to £17.5million additional security spending in the first year as they review and assess their cyber security readiness .
To support organisations and their respective regulators, the NCSC has published the first version of its Cyber Assessment Framework (CAF)  which sets out a number of Good Practice Indicators against the 14 security principles set out in the NIS Directive. Rather than an exhaustive checklist, these serve to encourage organisations to undergo the right internal thought processes to identify what they have to do to improve their cyber security activities.
Phillip Larbey, managing principal of NCC Group’s CENTA commented: “The NIS directive brings with it incentives for organisations across critical national infrastructure to get their house in order, and demonstrate that they are on the front foot when it comes to cyber resilience. While it might take time and money to improve cyber defences, it is an investment worth making in every sector, particularly where critical systems are concerned.
“It is hugely encouraging to see the NCSC actively discouraging organisations from adopting a mere tick-box approach to assessing their cyber security readiness. It is absolutely right that each and every operator in this area should take a good hard look at how it is currently conducting its operations in relation to cyber risk. Only then, and with this increased visibility over the UK’s defences, can we all work together to implement cyber security best practice and enhance the resilience of the systems the nation relies on.”
Published date:  11 May 2018