NIS Directive Gets Real After OES Deadline

Written by

The implementation of major EU-wide security legislation took a major leap forward on Friday as the government officially identified the organizations that will be required to comply with the NIS Directive.

Known in full as the directive on the security of network and information systems, the law will be applied slightly differently by each member state.

A key driver for the directive is to improve baseline security among providers of critical infrastructure, known as “operators of essential services” (OES). It will help to do this with GDPR-like maximum fines of £17m or 4% of global annual turnover, and mandatory 72-hour notifications of serious incidents.

Although the directive came into force on May 10, Friday was the deadline for governments to identify these OES organizations, which cover several sectors: energy, transport, healthcare, water and digital infrastructure.

“The number of targeted intrusions into the UK’s critical infrastructure is increasing. Employing preventative cybersecurity solutions that seamlessly integrate security into control systems is therefore essential,” argued Palo Alto Networks CSO, Greg Day.  

“The NCSC has made effective implementation of NIS a priority since it came into effect in May, issuing detailed guidance for both businesses and implementing agencies. Today’s step, whereby the UK government informs those entities considered operators of essential services, is another important milestone in the UK’s efforts on the hugely important issue of cybersecurity.”

Matt Walmsley, EMEA director at Vectra, welcomed the latest deadline as helping to force operators in key sectors to focus on improved security.

“Bad actors, and particularly those of nation states, are well-resourced, innovative and highly motivated, and organizations have limited time, finite human and technical resources and capabilities with which to protect their rapidly expanding attack surface,” he added.

“Nation states, or their sponsored proxies, have broad motivations, and expecting the unexpected is a difficult task. All organizations therefore need to realize that breaches are a case of if not when and so equip themselves to identify and respond to attacks to remediate them in their early stages before damage is done. It’s a tough and never-ending task for the defenders, and one increasingly requiring levels of automation and empowerment from artificial intelligence.”

What’s hot on Infosecurity Magazine?