What is the NIS Directive?
The Network and Information Systems (NIS) directive is an initiative developed to protect the economy of the European Union from major cyberthreats.
The NIS Directive was adopted by the European Parliament on July 6th, 2016, and entered into force in August 2016. Member states had to transpose the directive into their national laws by May 9th, 2018 and identify operators of essential services by November 9th 2018.
The NIS directive ensures member states are prepared, and provides legal measures to boost the overall level of cybersecurity in the EU. NIS requires member states to be appropriately equipped in several ways, including Computer Security Incident Response Teams (CSIRT) and a competent national NIS authority.
Businesses that are identified as Operators of Essential Services (OES) have to take appropriate security measures and notify serious incidents to relevant national authority. Key digital service providers including search engines, cloud computing services and online marketplaces also have to comply with the security and notification requirements under the NIS directive.
For organizations to meet the obligations of NIS, the task can be separated into administrative and technical measures. Administrative measures are implemented through the accordance of security standards like ISO/IEC 27001 Information Security Management System (ISMS). These are supported by administrative actions and risk management measures including ongoing user training, security audits and ethical hacking to ensure security competency and to improve organization’s level of cyber readiness from both business and regulatory perspectives.
Technical solutions include the implementation and continuous development of cyber situational awareness solutions such as SIEM (Security Incident and Event Management), secure identity confirmation tools, and data communications security solutions. Only a combination of administrative and technical measures is enough to comply with the NIS authoritative requirements.
PKI and code signing help meet NIS compliance
To meet the fundamental requirement under NIS for “appropriately authenticated and authorized” access, organizations need a method of defining and enacting controls that is both secure and can be deployed across disparate infrastructure and processes.
Public Key Infrastructure (PKI) is the most widely adopted form of technology for establishing the identity of people, devices, and services – enabling controlled access to systems and resources, protection of data, and accountability in transactions. PKI includes a set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public keys.
Certificates are issued to entities such as users, devices, web servers, passports, smart cards and IoT devices. The provisioning of certificates to either devices or tokens enables two benefits. Firstly, it gives a device or a token an identity, and secondly, it provides the means to setup a secure encrypted communication channel. PKI and certificates deliver a method as required by the NIS directive to identify, trust and securely communicate with any entity throughout an entire organization, partners, and customers.
PKI also underpins technologies, such as digital signatures and encryption for use cases as diverse as e-commerce and the growing Internet of Things (IoT). Digital signatures can secure additional activities, such as signing PDFs, code or other information assets, to ensure the origin of the document/code or to ensure that a transaction was in place at a certain time. Digital Signatures can allow an organization to track who exactly performed the signature and at what time.
Download white paper
Learn more about PrimeKey's take on the NIS directive in this white paper: