NIS Directive

How the NIS Directive affects critical infrastructure, businesses and organizations

Contact us about the NIS Directive

Cybersecurity incidents can impede the pursuit of economic activities, generate substantial financial losses, undermine user confidence and cause major damage to the economy of the European Union. In response to this threat, the Directive on Security of Network and Information Systems, NIS Directive in short, was adopted by the European Parliament on July 6th, 2016, and entered into force in August 2016. Member states had to transpose the directive into their national laws by May 9th,  2018 and identify operators of essential services by November 9th 2018.

Goals of the NIS Directive and current outlook

The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring member states’ preparedness. It requires them to be appropriately equipped in several ways, including Computer Security Incident Response Teams (CSIRT) and a competent national NIS authority.

Businesses in these sectors that are identified by the member states as Operators of Essential Services (OES) will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Key digital service providers including search engines, cloud computing services and online marketplaces must also comply with the security and notification requirements under the new directive.

OES’s are public or private sector organizations that are dependent upon network and information systems to provide an essential service to society, which could be significantly disrupted by a cyber incident.

Although NIS is a relatively new regulatory requirement, many of its concepts have already been codified in existing compliance and best practice for industries including financial services and telecoms. In these industries, PKI has already been successfully deployed and widely supported, which has led to a high degree of interoperability. In telecoms for example, PKI is used to build chains of custody from the supplier of a network element where a device is ‘born’ to adoption into a network where the unit is used. For other sectors like cloud services, NIS has put cybersecurity and accountability in the limelight.

Investing in a competent PKI and code signing solution such as PrimeKey’s EJBCA and SignServer reduces the information security risks involved around NIS and related compliance regimes such as GDPR. This enterprise-wide capability reduces operation and maintenance costs compared to other point solutions, secures valuable business models and future-proofs organizations in all industries.

How PKI & code signing help meet NIS compliance

To meet the fundamental requirement under NIS for “appropriately authenticated and authorized” access, organizations need a method of defining and enacting controls that is both secure and can be deployed across disparate infrastructure and processes.

Public Key Infrastructure (PKI) is the most widely adopted form of technology for establishing the identity of people, devices, and services – enabling controlled access to systems and resources, protection of data, and accountability in transactions. PKI includes a set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public keys.

Certificates are issued to entities such as users, devices, web servers, passports, smartcards and IoT devices. The provisioning of certificates to either devices or tokens enables two benefits. Firstly, it gives a device or a token an identity, and secondly, it provides the means to setup a secure encrypted communication channel. PKI and certificates deliver a method as required by the NIS directive to identify, trust and securely communicate with any entity throughout an entire organization, partners, and customers.

PKI also underpins technologies, such as digital signatures and encryption for use cases as diverse as e-commerce and the growing Internet of Things (IoT). Digital signatures can secure additional activities, such as signing PDFs, code or other information assets, to ensure the origin of the document/code or to ensure that a transaction was in place at a certain time. Digital Signatures can allow an organization to track who exactly performed the signature and at what time.

Key considerations for successful PKI deployment

Public Key Infrastructure and signing is a technology that has been around for more than 30 years. PKI is driven by industry-wide standards. Deployments have been proven at scale and it is widely used by large organizations today.

Traditionally, PKI has been used for so-called corporate access use cases with the primary goal of controlling humans’ access to information resources. Increasingly, the use case has expanded to machines, servers, sensors, applications, controllers and network devices.

PKI is most effective when an organization adheres to a structured methodology of implementing and managing cyber security best practice. The Swedish Civil Contingencies Agency, for example, recommends that organizations structure and develop methods and processes around existing standards on information security management systems. The ISO 27000 series, mainly ISO 27001 and ISO IEC 27002 are relevant examples of best-in-class information security management systems.

Although PKI has a mature technology community, organizations considering deploying or expanding use of PKI should look for the following vendor criteria:

  • Companies offering cyber security products and services should be certified according to ISO 27001 and ISO 27002 for information security management and quality systems. In addition, ISO 9001 certification suggests a supplier that supports ensuring long term quality and efficiency.
  • Product certifications such as Common Criteria adds additional reassurance of product security and quality to ensure that critical infrastructure and IT services are maintained in all modes, even during an IT attack.
  • Finally, knowing that the product is already installed in several customers installations with audited systems assures that the product can operate in a controlled way within a real-world customer environment.

Get help with PKI and signing in support of NIS compliance

For more information on how PrimeKey can help your organization successfully deliver PKI and signing in support of NIS compliance, fill in your contact information below and we will get in touch with you.

    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.

Penalties for non-compliance

All organizations defined as requiring NIS compliance must also report security incidents and threats. A breach of the NIS regulation and failure to report an incident can result in a financial penalty imposed by the local government regulator. The fines for non-reporting vary greatly between nations. Germany can fine organizations up to 50,000 euros, the Netherlands up to 5 million euros and the UK up to 17 million pounds – for a NIS failure that could have led to loss of life. However, the reputational damage inflicted on an OES that has been deemed to lack adequate security control can have significantly larger ramifications on brand and customer trust.

Each member state has a duty to enact NIS within corresponding local legislation. As of April 2019, 11 out of the 27 EU nations have met this mandate. However, it is expected that another six will have complete transposition into local law by the end of 2019. Across all localized versions of the directive, there are four major strategic requirements that regulated OES must comply with:

  • Managing security risk through appropriate organizational structures, policies and processes in place to understand, assess and systematically manage security risks to the network and information systems supporting essential services
  • The continual use of proportionate security measures that are in place to protect essential services and systems from cyber attacks
  • Capabilities to ensure security defenses remain effective and to detect cybersecurity events affecting, or with the potential to affect, essential services.

Capabilities to minimize the impacts of a cybersecurity incident on the delivery of essential services including the restoration of those services where necessary.

Critical controls

To meet these core criteria, every NIS compliant organization understands, documents, and controls access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services should be appropriately verified, authenticated, and authorized.

In addition, users, devices, and systems should be appropriately authenticated and authorized before access to data or services is granted. For highly privileged access, NIS indicates that it might be appropriate to include approaches such as two-factor or hardware authentication. Unauthorized individuals should be prevented from accessing data or services at all points within the system. This includes system users without the appropriate permissions, unauthorized individuals attempting to interact with any online service presentation, or individuals with unauthorized access to user devices.

Administrative and technical solutions

For organizations to meet the obligations of NIS, the task can be separated into administrative and technical measures. Administrative measures are implemented through the accordance of security standards like ISO/IEC 27001 Information Security Management System (ISMS). These are supported by administrative actions and risk management measures including ongoing user training, security audits and ethical hacking to ensure security competency and to improve organization’s level of cyber readiness from both business and regulatory perspectives.

Technical solutions include the implementation and continuous development of cyber situational awareness solutions such as SIEM (Security Incident and Event Management), secure identity confirmation tools, and data communications security solutions. Only a combination of administrative and technical measures is enough to comply with the NIS authoritative requirements.

Our most popular products

EJBCA Enterprise

EJBCA® Enterprise is a powerful and flexible Certificate Authority and a complete PKI (Public Key Infrastructure) Management System.

EJBCA Appliance

PrimeKey EJBCA Appliance offers the most cost-efficient, easy and secure way to deploy an enterprise PKI system.

SignServer Enterprise

Server-side digital signatures give maximum control and security, allowing your staff and applications to conveniently sign code and documents.

How can we help?

    I accept that PrimeKey stores my information, and I accept cookies for analysis and business identification. Read more about cookies and privacy policy here.
Contact us