The NIS Directive is now two years old – so it’s a good time to check in with your organisation to ensure compliance and to revisit your organisation’s current cybersecurity measures. Like GDPR, the NIS Directive is an EU regulation that was implemented in UK law, and is also governed by the Information Commissioner’s Office. Ultimately, the aim of the NIS Directive was to raise the EU’s cyber resilience by heightening the cyber security measures that critical organisations, such as national infrastructure, were implementing. Therefore, though NIS might seem like just another regulation to comply with, it can have a vastly positive effect on your organisation’s cybersecurity posture.

The NIS Directive has four main segments that it addresses within an organisation’s security processes:

1. Security of systems and facilities: an organisation must ensure that there are procedures, such as access controls, to ensures that their systems and facilities are protected, both digitally and physically.
2. Incident handling: there must be a policy in place to handle an incident or breach which includes mitigation or management steps, and, if necessary, a report to the ICO.
3. Business continuity management: in case of an incident, an organisation must have a continuity plan in place to ensure that critical services are not brought offline for a significant amount of time or that other data protection considerations can be ensured.
4. Continuous monitoring: an organisation must regularly check their systems for vulnerabilities, correcting them as necessary to protect the organisation’s work and capabilities.

Of course, these policies and procedures must be documented within your organisation. Like GDPR, there can be severe fines up to £17 million if an essential organisation is not compliant with the NIS Directive. Even without the threat of fines, creating comprehensive cybersecurity policies can go a long way to warding off disruptive breaches.

If you are a critical organisation, take the time to review your cybersecurity policies to ensure that your organisation is maintaining compliance – and that your cybersecurity is as strong as it can be.

More guidance on this can be found at the UK’s National Cyber Security Centre’s website, which provides organisations with a Cyber Assessment Framework.