NIS Directive Compliance_
Take the necessary technical measures and meet the minimum security requirements for network and information systems
In the past years, the European Union has prioritized the importance and obligation to establish a minimum set of requirements to ensure cyber security at an industry level. Since GDPR came into force, the EU focused on strengthening the member states’ resilience to cyber attacks, on protecting critical and digital infrastructures and on ensuring effective processes for systems that are essential to society.
Thus, the NIS Directive (see EU 2016/1148) has become the first piece of EU cybersecurity legislation. According to the Directive, member states:
- must establish specific national cybersecurity capabilities (e.g. appointing a national CSIRT);
- are encouraged to strengthen cooperation with other member states (e.g. developing an operational EU CSIRT network or setting up a strategic working group).
If your organisation is an essential services supplier or a digital services provider, you will have to comply with the Directive requirements.
Meet NIS Directive requirements
In November 2021, a survey among 947 essential services suppliers and digital services providers in the EU conducted by the European Union Cyber Security Agency (ENISA) showed that:
- 48.9% of the responding organisations see a very significant or significant impact of the NIS Directive on information security;
- Nearly 50% of the organisations believe that the implementation of the NIS Directive has strengthened their incident detection capabilities, while 26% believe it has strengthened their ability to recover from incidents.
The law 362/2018 on ensuring a high common level of network and information systems security, which transposes the NIS Directive, specifically addresses the liability of essential services suppliers and digital services providers.
Legislation requires these entities to have appropriate security controls and processes in place. Those that do not comply with the NIS requirements can be fined up to 5% of their turnover. Fines can also range from RON 3,000 to RON 50,000 for repeated violations. Operators with a turnover greater than RON 2 million risk fines ranging between 0.5% and 2% of their turnover.
Who are the Essential Services Suppliers subject to the NIS Directive requirements?
The Essential Services Suppliers subject to legislation requirements represent 7 critical economic activities: energy, transportation, banking, financial markets, health, water, digital infrastructure.
In addition to their responsibility for registering in the Essential Services Suppliers Registry, following an audit carried out by a NIS security auditor, certified by the National Directorate of Cybersecurity – DNSC, essential services suppliers must adhere to and implement technical and organisational measures, aligned with national and international standards, that cover, among others:
- access rights, user identification and authentication management;
- user awareness and training while ensuring personnel security;
- testing and reviewing network and information system security;
- network and information systems configuration management;
- ensuring availability and continuity in providing an essential service and in the proper operation of the network and information systems;
- incident response and vulnerability and security alert management;
- network and information systems maintenance and physical protection;
- developing security plans and policies;
- ensuring protection for products and services related to network and information systems.
Who are the Digital Services Providers subject to the NIS Directive requirements?
The Digital Services Providers are grouped in 3 categories:
- online markets
- online search engines/browsers
- cloud computing services
The organisational and technical measures they have to implement are the following:
- system and installations security;
- incident response management;
- activity continuity plan management;
- monitoring, auditing and testing;
- compliance with European and international standards
How can Bit Sentinel assist you in the NIS Directive Compliance process ?
In 2021, Bit Sentinel received the Cybersecurity Auditor Certificate – specific, joint and general for essential services suppliers, issued by the National Directorate of Cybersecurity – DNSC.
This certificate is a recognition of our team’s performance and company’s ability to provide professional cybersecurity services to guarantee compliance with the NIS Directive.
How does the NIS Directive compliance process works with Bit Sentinel?
Step 1. Make the initial analysis
Bit Sentinel’s team of certified auditors will indicate the nature of your organisation as an essential services supplier or as a digital service provider. Essential services suppliers will then be registered by DNSC in the Essential Services Suppliers Registry.
Step 2. Evaluate the current state of compliance
Our specialists will investigate to what extent the current level of cyber security in your company is compliant with the NIS Directive. At this stage, we will look at specific elements of governance, protection, security, defense and resilience. Subsequently, we will provide recommendations for the necessary technical and organisational measures that help you meet the minimum security requirements.
Step 3. Implement the technical measures for compliance
In this stage, our team of cybersecurity experts will handle the implementation process of the measures recommended in the previous step prioritising the activities according to your business particularities.
Step 4. Start the security audit
We will conduct a security audit that validates the implementation of the recommended measures. Through this assessment we will consider all governance, protection, security, defense and resilience measures to meet the minimum security requirements. Services required include IT and operational security audit, penetration testing and so on.
Step 5. Collaborate with the CERT-RO service as national CSIRT
Our BSS-CERT team will monitor network and information systems and will notify the CERT-RO division of DNSC, as the national CSIRT, of any potential incident.
Step 6. Manage incident response
In the event of a security breach, our incident response team accredited by Trusted Introducer – the world’s largest Computer Security Incident Response Team (CSIRT) will assist you in all activities legally required by such an incident while restoring the proper operation of essential services.