The EU Network and Information Security (NIS) Directive states that from 9 May 2018 onwards, the national legislations in the various EU member states need to be in place. The Directive also states that from 9 November 2018, the EU member states need to identify the organizations for which the legislation is applicable. The overall goal of the NIS Directive is to achieve a high common level of security of networks and information systems within the EU. But the directive also requires attention from Swiss companies.
Fines, reputational risks and required investments
Until recently, Network and Information Security regulation in the EU was only limited. Fines for breach of regulations were sparse and enforcement actions infrequent. With this new NIS Directive, this will change. This can be attributed to three factors:
- The NIS Directive and local legislation introduces potential fines that may vary per member state, but for some will be in line with GDPR. This is a big and serious change compared to the limited sanctioning possibility under the old regime.
- Enforcement activities by national regulators will increase. Non compliance breaches will hence be brought to light sooner. Risk of reputational consequences will therefore become all the more real.
- With the NIS Directive and Local legislation a significant effort and investment is required by identified entities to comply with the security regulations.
The NIS Directive introduces 5 new requirements
- The obligation for nation states to adopt a national cyber security strategy and regulation
- Set up a Cooperation group between member states
- Set up a CSIRT’s network
- Establish security and notification requirements
- National CSIRT and "single point of contact"
Scope of application remains unclear
Generally the NIS Directive is applicable to two types of organizations: Digital Service Providers (online market places, search engines and cloud services) and Operators of Essential Services (energy, transport, banking, financial market infrastructures, health sector, drinking water supply and digital infrastructure).
Although those two types of organizations are very different in their nature, their level of automation and their cyber security maturity the requirements do not differ. This also means that a variety of different industries is targeted. Therefore, for many organizations it remains unclear if they will be nominated in November 2018 as applicable for the NIS Directive or not. Regarding the extensive cost impact of NIS this creates uncertainty amongst many enterprises.
What does this mean for Swiss companies?
With all the hype around GDPR, the NIS Directive seems to be somewhat neglected. However, this EU regulation may also apply to Swiss companies: multinational organizations must assess what legislation they must comply with per member state, and if they are considered to be subject to the EU NIS Directive in every member state. If Swiss multinational companies are designated as Digital Service Providers or Operators of Essential Services they are obligated to implement state-of-the-art technologies to manage their security risks, with mandatory breach notifications in the event of a substantial or significant incident. This makes the EU NIS Directive highly relevant for some Swiss organizations.