In a previous blog post I’ve already listed the many benefits of complying with the European NIS Directive, an important piece of EU legislation aimed at creating an overall higher level of cybersecurity in the European Union. But how do you go about achieving that beneficial compliance in actual practice? 

Whether you’re an operator of essential services (OES) or a digital service provider (DSP), the NIS Directive obliges you to ensure a certain level of security by identifying and taking appropriate and proportional security measures - some organizational, others purely technical in nature. 

Some of these measures allow you to manage the risks of cybersecurity breaches in a preventative manner. To that end, both DSPs and OESs must provide information that allows for an in-depth assessment of their information systems and security policies. Other measures are aimed at preventing and minimizing the actual impact of incidents and at notifying the relevant parties - more specifically: the computer security incident response teams (CSIRT) - of any incidents. Significant cybersecurity incidents are determined by the longevity and geographical reach of the security breach as well as by the number of users affected by it. 

Security measures for OESs.

Operators of essential services should first and foremost define the scope of the essential services they are providing (stakeholders involved, requirements, interfaces, …). After appointing a single point of contact (SPOC) for the security of their network and information systems, they also need to inform their sectoral authority of the SPOC’s contact details. They can turn to that same authority for practical guidance on the possible risks and measures to be taken.  

Finally, after identifying and mapping the potential risks to the security of their network and information systems, OESs need to identify, test and implement the organizational and technical measures necessary to mitigate those risks. These measures should be state of the art and part of a security policy that is brought into line with the information security standard ISO/IEC 27001. Ideally, they are also part of a business continuity plan. 

Digital service providers, too, need to identify, test and implement the necessary organizational and technical security measures. But first they ought to designate as well a SPOC for their computer systems and notify the sectoral authority of it. DSPs can look for guidance in a specific regulation provided by the European Commission. 

And then there are the security measures that both OESs and DSPs should be taking. To begin with, they both should establish the leadership of the required information security governance. This means creating a clear vision and allocating the roles and responsibilities for managing information security. They also need to set up a security incident management policy in which there must be a procedure for incident notification and lastly they should create an information security management system (ISMS). 

Would you like to have more information about the NIS Directive and what it means for your organization? Download our white paper by clicking here. 

"A practical guide for implementing Network & Information Security (NIS) in Belgium"