EU Directive Security of Networks & Information Systems (NIS) was a response from the EU to concerns about cyber security impacts on key infrastructure within the EU and the impacts that this would have on its citizens.
Member states were given 21 months to implement the Directive into their domestic legal framework and England and Wales did this in May 2018. Some may say the arrival of the GDPR over shadowed this related but important piece of legislation for certain industry sectors.
The impact of NIS must therefore be considered for all those in the energy, transport, health water sectors as well as those “qualifying” DSP’s. It should also be considered to those that are connected to the supply chain for these sectors.
The Cyber Security Framework (“The CAF”) has been established by the National Cyber Security Centre, which is in response to the obligation under NIS for competent authorities to assess compliance of NIS by those caught by it.
The CAF sets out indicators of good practice which are designed to assess whether or not compliance with the outcomes of NIS are being achieved.
If your business provides services to those sectors, or if you are a qualifying DSP you must ensure that your contractual frameworks support the new law and manage the risk associated with non-compliance of NIS as a separate exercise to ensuring compliance with the GDPR and the new Data Protection Act 2018.
If disposing of your business, be prepared for enhanced due diligence and be prepared to show and demonstrate compliance – if acquiring, make sure your legal team are able to advise on the practicalities and deal with any risk.