Obligations of the EU NIS Directive for reporting security threats and incidents

Imagine everyday life without electricity, clean tap water and digital services. You wake up in the morning and notice absence of networks on your cell phone. Water is not supplied when needed.  Toaster will not work due to power failure. When you go to work, you notice that your car is low on fuel and you try to refuel your car without success – all distribution stations are powered by electricity. All radio stations broadcast alert messages of a widespread cyberattack. At work, you cannot get inside the office door, and you would not be able to work, because everything is digital…

The above description is completely fictitious, but it certainly gives you an idea of ​​what cloud providers, energy companies, and water providers have in common. They provide critical services for society to function.

An EU-wide Network and Information Security Directive (NIS) has been introduced at EU level to increase cyber awareness and to manage cyber disruptions in EU countries. The NIS Directive entered into force on 9 May 2018 as part of every national legislations. It obligates critical infrastructure operators to report security threats and incidents broadly and systematically to supervisory authorities. The aim is to ensure continuity of societies, to create an up-to-date cyber awareness at EU level and to increase the reliability of critical services.

The NIS Directive based national legislation affects a wide range of companies and public organizations in various sectors. These industries provide indispensable and essential services to citizens in Finland and throughout Europe by relying on cyberspace systems. The NIS Directive directly obligates digital service providers, such as search engines, cloud services and digital marketplaces, to report security incidents and threats. In addition, every EU country defines their list of the providers of essential services independently. These include organizations in the fields of energy, transport, banking, finance, healthcare, water and digital services.

Each sector has its own national legal basis and responsible authorities. To mention some examples, the energy sector of Finland reports anomalies and imminent situations under the Electricity Market Act to the Energy Authority. Secondly, the financial sector of Finland reports to the Financial Supervisory Authority. Thirdly, health care providers of Finland report to Valvira in accordance with regulations concerning electronic processing of customer data. These responsible authorities will forward all information to Finland’s centralized national Point of Contact (PoC): Traficom’s Cyber ​​Security Center, which will forward the information to the EU-level Cyber Security Incident Response Teams (CSIRTs).

Reporting cybersecurity incidents does not add or remove organisation’s responsibilities. Official notification opens up the possibility of solving an incident with the assistance of authorities. On the other hand, the notification carries the possibility of strategic risk of company’s reputation and the negligent handling of the reported information by the authorities may lead to an operational risk of trade secret leakage. The likelihood of these risks can be reduced by anticipating future obligations and by stepping up to cooperation with the appropriate authorities.

In addition, organizations providing network and information system solutions, such as system, hardware and service providers (i.e. Insta DefSec), are indirectly affected by the NIS Directive. Organizations need network and information system solutions as well as administrative expertise in cyber security to support the fulfillment of national NIS obligations and further improve cyber readiness above the compulsory level. Companies such as Insta DefSec are providing this kind of expertise and knowledge.

The fulfillment of obligations can be divided into technical and administrative measures. Technical solutions include the implementation and continuous development of cyber situational awareness solutions such as SIEM (Security Incident and Event Management) and SOC (Security Operations Center) services, secure identity confirmation tools and data communications security solutions. Without adequate technical tools and skills, cyber events will not provide enough information for complying authoritative requirements.

Administrative solutions, in turn, are implemented through the accordance of security standards like ISO/IEC 27001 Information Security Management System (ISMS) and risk management. Status surveys and ethical hacking security audits are important to ensure present state of affairs and the effectiveness of the measures taken to improve the current situation. This can continually improve organization’s level of cyber readiness from both business and regulatory perspectives.

Equally, all the important obligations imposed by the NIS Directive should be taken seriously – even without the NIS Directive existence. It is a good idea to take the necessary measures and at the same time improve business continuity, cyber resilience and security readiness comprehensively. Guidance, help and readily made solutions are all readily available. Now is the right time to catch an opportunity and lead your company to business-friendly solutions in terms of the NIS Directive. Above all, to ensure your bright and safe tomorrow.

Santeri Taskinen, santeri.taskinen@insta.fi

Cyber Security Specialist, Insta DefSec Oy, www.insta.fi/en/services/cyber-security security@insta.fi

References

1. The Official Journal of the European Union, 19.7.2016, Directive of the European Parliament and of the Council (EU) 2016/1148 measures for a high common level of security of network and information systems.
2. The Official Journal of the European Union, 14.11.2012, Regulation of the European Parliament and the Council (EU) 2012/1025 on European standardization.
3. Rantala Jonna, 24.9.2017, NIS-direktiivin kahdet kasvot – riskit ja riskienhallinta. Univ. of Jyväskylä.
4. Hartikainen Jarna, 8.10.2018, NIS-direktiivi ja toimeenpano Suomessa. Finnish communications agency.
5. Parliament of Finland, 2017, Government proposal 192/2017 amending the laws implementing the European Union’s Network and Information Security Directive.
6. FINLEX, 21.8.2019, Electricity Market Act 2013/588.
7. FINLEX, 9.2.2007, Act on the Electronic Processing of Customer and Social Care Information2007/159
8. FINLEX, 8.8.2014, Act on Credit Institutions 610/2014