On 29th January, four months after its closing date, the Government published their response to the Network and Information Systems (NIS) Directive, along with a collection of guidelines to help Operators of Essential Services interpret the requirements.
With over 350 responses to the consultation between August and September 2017, the Government’s response has addressed a number of common concerns and clarified several areas of ambiguity. The result is a much clearer expectation for both Operators and Competent Authorities, including what is to be expected during the first year.
According to the consultation:
“Operators will be given time to implement the necessary security measures. The Government can reassure Operators that the main priority of Competent Authorities for the first year will be in obtaining a clear picture of the security of network and information systems in their sectors.”
“Operators will be expected to have begun analysing their systems and existing security measures in order to understand where further work needs to be done, and to develop plans in order to reach the appropriate levels of security requirements.”
Whilst this sets a clear message for what is to be expected in the first year, Operators should not underestimate the amount of time and effort this can take, particularly given the complex and diverse technology landscape typically found in Operational Technology environments.
The first step to compliance is realising your infrastructure’s current state by having a formal maturity assessment completed. Using the results from the maturity assessment, Operators can effectively prioritise next steps to develop a roadmap to compliance.
As the NIS Directive becomes national law from the 10th May, Operators have little over one year to develop a robust plan to align themselves to the 14 principles. This will require a clear understanding of scope, and the critical dependencies that ensure the continuity of essential services, even across their third-party suppliers.
Given the significant amount of effort needed to comply with the NISD and the challenges Operators should expect to face along the way, we advise Operators waste no time in assessing their maturity and effectiveness against the 14 principles.
See below infographic for a quick look at who is in and out of scope for the NIS Directive: