The NIS (Network and Information System Security) Directive was adopted by the European institutions on 6 July 2016. Its objective is to guarantee a high and common level of security for networks and information systems within the European Union. In the context of this NIS Directive, several elements are highlighted. In addition to the emphasis on cooperation between national authorities and between Member States, the Directive also promotes the implementation of a national security strategy in each Member State of the European Union. The Directive also encourages the establishment of a European CSIRT network, again with the aim of improving cooperation between States. Security and notification requirements, in particular for essential service operators and digital service providers, are reinforced.
The main objective of the Directive is to ensure effective cooperation and protection of Member States’ critical economic and societal activities, in particular in order to protect themselves against the risk of cyber-attacks.
Key parts in NIS Directive
The NIS Directive addresses different aspects of information security that can be divided into four key parts. The first is a governance component that supports the improvement of Member States’ cyber defense capabilities. This component takes into account elements related to information security risk management, the definition of security policies, performance evaluation and measurement, security audit requirements and human resources security.
The second aspect concerns the cooperation between Member States. They must pool their capacity for expertise, vigilance and defense in order to protect themselves against ever-increasing computer threats. The cooperation covered by the Directive mainly concerns the political and operational aspects of cyber security, while the second part concerns data protection requirements. Operational security elements must therefore be considered through system configuration and segregation, network traffic filtering, cryptographic requirements, identity and access management including privilege account management and system maintenance. In addition, physical and environmental security must also be considered.
The third part concerns the cyber security of information systems. It is essential to take into account the requirements needed to detect security events and incidents, and to ensure logging of events, their correlation and analysis. The process for managing information security incidents must also be defined and implemented, including incident response and communication to the competent authorities.
Lastly, the fourth part concerns the modalities of organizational resilience, such as business continuity, disaster recovery and crisis management. The objective is to regulate and supervise the security of these actors’ information systems.
These are operators of services essential to the functioning of the economy and society. The Directive makes it possible to regulate the security of the information systems of these actors, which is essential to the economic and societal activity of the Member States.
How Excellium can help you
Thanks to our experience in the information security and IT security fields, we help our customers to make the right decisions to develop, implement and manage their security. Many customers trust Excellium to help them with their information security program and therefore to improve their information security maturity level. Familiar with the Luxembourg regulatory framework, our expertise is based on the skills of multidisciplinary teams that enable us to support our multinational clients in the development and implementation of their information security based on frameworks, such as new regulations including the NIS directive, to demonstrate their level of maturity in terms of information security through a cyber-security program defined by our teams.