Why the European Union Network Information Security (NIS) Directive should be on your Radar

Irrespective of whether you or your organization is based in the European Union or not, if you are concerned about cybersecurity risks, the NIS directive should be on your radar – literally!

What is NIS you may wonder? It’s the EU Network Information Security (NIS) Directive that has been passed into member state law this year and has entered its implementation phase which will likely run through to late 2020. It will directly affect EU based critical infrastructure providers and specific digital service providers but will provide a range of spin-off initiatives that are relevant well beyond these sectors.

While the NIS directive leads to much needed investment in cybersecurity through the establishment and/or appointment of National Competent Authorities (NCAs) and an EU level cooperation as well as mandatory investments by critical infrastructure providers such as energy, telecommunications, banking, healthcare, etc. as well as critical digital services providers, the “fallout” for non-regulated organizations is substantial. While the different NCA’s all have to comply with the NIS requirements as well as possible additional national requirements, many of them have a substantial freedom of operation.

This is where the relevance is for the “rest of us”. All this investment leads to a multitude of additional threat intelligence and services that are very relevant. Let’s look at a few examples:

  • The UK National Cyber Security Center (NCSC) provides ongoing threat updates as well as weekly summaries and recommendations that are highly useful and relevant
  • The Dutch National Cyber Security Center (NCSC) engages with the community to provide coordinated vulnerability disclosures that in return benefit the community
  • The German DsiN provides specific support for individuals and SMEs around cybersecurity and a range of documentation and tools

While these are just a few examples, most of which are available in English, it is clear that there is already a portfolio of services that are accessible to individuals and organizations alike and on the back of NIS this service portfolio this will likely be broadened and improved.

Hence, if you are concerned about potential cybersecurity risks, even while NIS may not directly affect you, awareness of it and the benefits provided might just help you reduce your attack surface and reduce your risk.

Now that you know how NIS may affect your business, wouldn’t it be foolish not to take advantage of all these services in light of the ever increasing threat profile?