There is no doubt that organizations all over the EU are preparing diligently for GDPR. Organizations outside of the EU are also being impacted by GDPR as well if they currently or plan to do business in the EU. However, there is also another piece of legislation that is coming into effect in May 2018 in the EU – The NIS Directive. This Directive is the first piece of EU-wide legislation on cybersecurity that impacts both operators of essential services and digital service providers.
Operators of essential services include:
Energy – Electricity, Oil, Gas,
- Transport – Air, Rail, Water, Road
- Financial Market Infrastructures
- Health Sector
- Drinking Water Supply
Digital service providers include:
- DNS Service Providers
- TLD Name Registries
According to the Directive, “Network and information systems and services play a vital role in society. Their reliability and security are essential to economic and societal activities, and in particular to the functioning of the internal market. In addition, security and notification requirements should apply to operators of essential services and to digital service providers to promote a culture of risk management and ensure that the most serious incidents are reported.”
The Directive also mandates that EU Member States need to ensure that operators of the essential services listed above take what is considered “appropriate measures” to manage the risks facing the security of their networks and information systems they use in their daily operations. In addition, with regards to the state of the art, the directive also mentions that the measures taken should be appropriate to the risks they face.
The Directive also states that digital service providers should take appropriate measures to manage the risks they face concerning network and information systems they use in the context of offering services as follows:
The security of systems and facilities
- Incident handling
- Business continuity management
- Monitoring, auditing, and testing
- Compliance with international standards
Clearly, the EU and its member states realize the potent impact on citizens of the EU if operators of essential services and digital service providers were impacted by cyberattacks that cause outages to networks, systems, and service delivery. This Directive appears to be taking a proactive stance, however, cyberattacks have likely impacted both entities already in the EU, the same as they have elsewhere in the world.
One take away from the Directive highlights the need for reliability and continuity of essential services and digital providers. Cyberattacks that could impact both of these entities include widespread increases in pre-attack malicious bot activity, outage-causing denial of service attacks, extensive malware and ransomware epidemics, critical website and application outages and infections, attacks against APIs and other exposed web properties, etc.
One recommendation for operators of essential services and digital service providers is to exercise due care in all situations, responsibly identify the actual threats that could impact the reliability and continuity of their infrastructures and services and take the appropriate measures needed to address these threats. Accepting the fact that they’re being targeted by hackers, cybercriminals, nation-states, etc. daily – is a great place to start.
The second recommendation is to partner with a cloud-based security provider who operates in the EU and also delivers malicious bot detection and defenses, protection against all types of denial of service attacks, and protection against exploits, malware, and targeted attacks against websites, applications, and APIs. There are already appropriate measures available today that can considerably help operators of essential services and digital providers manage their risks – and completely defend their operations.