I am a digital service provider. What about NIS?
In a previous blog, we briefly described the European NIS directive, and the impact it has on companies and public institutions (in this blog called: organizations).
In this blog, we zoom in on the “Digital Service Providers.” Let us start with the definition of Digital Service Providers or providers of digital services:
Article 4, point 5, which defines the “digital service,” refers to the legal definition in point (b) of Article 1 (1) of Directive (EU) 2015/1535, by constricting the scope to the types of services listed in Annex III. In point (b) of Article 1 (1) of Directive (EU) 2015/1535, this service is defined as “any, usually remunerated service that Is performed, by electronic means, remotely and upon individual request for a recipient of services” and in Annex III of this Directive, three specific types of services are listed:
- Online market places
- Online search engines
- Cloud computer services
How do I determine whether my organization has to comply with the NIS regulation?
This is a fairly simple analysis. Based on the definitions below, you make a choice. We will give you a step-by-step plan in the following section.
- Providers of online marketplace
Through an online marketplace, a large group and a wide range of companies are offered the opportunity to develop their trading activities towards consumers, and to establish business relationships between companies.
- Providers of online search engines
The term “online search engine” is defined in Article 4 (18) and further clarified in recital 16. It is defined as a digital service that allows users to perform searches on, in principle, all websites or websites in a particular language based on a search query.
- Providers of cloud computing services
Article 4 (19) defines a “cloud computing service” as a digital service that allows access to a scalable and elastic pool of shareable computer capacity and recital 17 provides further clarification on the terms “computer capacity”, “scalable and elastic pool”.
This means that the following “as-a-service providers” are included:
So if you offer one of the services mentioned above (points 1, 2 or 3), then conformance with the NIS legislation is inevitable.
I am a digital service provider, what now?
The analysis that leads to the conclusion of whether you have to comply with NIS or not is already a step in the right direction.
However, the real work still has to come: meeting the set deadlines and the accompanying audit (s).
The following step-by-step plan shows you how:
- Step 1: determine the scope of your digital services
- Step 2: inventory of the processes that are linked to these essential services
- Step 3: inventory of network and information systems linked to critical processes
- Step 4: performing a risk analysis
- Step 5: development of an information protection policy (cf. ISO27001: 2013)
- Step 6: implement measures (including the appointment of a DPO)
- Step 7: audit / certify
It is important in all steps that the starting point of the NIS legislation must be taken into account at all times:
- Protection of digital services
- Incident reporting
- Continuity of digital services
In terms of processes, we mainly think of those who:
- are directly connected to essential services
- support the above processes
- are related to the reporting of emergencies
With the NIS legislation, governments want to raise information security to a higher level. This means that you must watch over:
- The availability and integrity of information
- The exclusivity, confidentiality, and security of information
And what if I don’t do anything?
Similar to the GDPR, the NIS law can impose both administrative and criminal fines. These fines can quickly amount to 75,000 euros (multiplied by 8) or a prison sentence of up to two years. Administrative sanctions are also possible up to 200,000 euros.
In addition, the competent authorities have the option to monitor compliance with this new law.
So although the GDPR received more attention than the NIS law, compliance with it will be just as important.
How can SecureLink help?
Within SecureLink, the Cyber Security Advisory team is responsible for helping organizations with all kinds of governance, risk, and compliance issues. This team starts from the business processes to further fine-tune the typical IT and information security processes. Not only the processes are discussed, but also the human link is taken into account. After all, they form the strongest or weakest link in the chain.
Would you like more information about this NIS legislation? Or do you want guidance in complying with this legislation? My colleague Wim Van Langenhove and I are happy to help you further. You can reach us via [email protected]