The Network and Information Security (NIS) Directive aims to achieve a high common level of security of networks and information systems within the European Union. The final text was published on July 6, 2016. Now on May 9, 2018 the local legislations needs to be in place.
The NIS Directive establishes security and notification requirements for Operators of Essential Services (OoES) and Digital Service Providers (DSP). Sectors that are affected are energy, transport, financial market infrastructure, health, drinking water and digital infrastructure but also include online marketplaces, online search engines and cloud services that provide services in the EU.
The NIS Directive lays down specific requirements for Member States of the EU to adopt a national NIS strategy, to designate National Competent Authorities (NCA), Single Points of Contact (SPoC) and Computer Security Incident Response Teams (CSIRT) .
Next to member state requirements the NIS also organizes a EU cooperation group and a network of CSIRT's.
There are many challenges with the implementations of the NIS directive. Organizations are faced with additional cyber security legislation on a national level. Also EU member states are faced with requirements for unbiased identification of Operators of Essential Services and Digital Service providers. Governing bodies will need to adequately respond to incidents that organizations are required to report. And last but not least compliance monitoring and enforcement with fines need to be organized.
KPMG has a long history of assisting organizations in preparing for new legislation. We have a large network of Subject Matter Experts on a variety of cyber security topics. From Critical Infrastructure with OT and IT networks to Financial Service Providers to Digital service Providers. KPMG has member firms all over Europe with experts that can assist with the knowledge of local legislation and the overview of a multi-national organization.