Search

I am a digital service provider. What about NIS?

How do I determine whether my organization has to comply with the NIS regulation?

In a previous blog, we briefly described the European NIS directive, and the impact it has on companies and public institutions (in this blog called: organizations).

In this blog, we zoom in on the “Digital Service Providers.” Let us start with the definition of Digital Service Providers or providers of digital services:

Article 4, point 5, which defines the “digital service,” refers to the legal definition in point (b) of Article 1 (1) of Directive (EU) 2015/1535, by constricting the scope to the types of services listed in Annex III. In point (b) of Article 1 (1) of Directive (EU) 2015/1535, this service is defined as “any, usually remunerated service that Is performed, by electronic means, remotely and upon individual request for a recipient of services” and in Annex III of this Directive, three specific types of services are listed:

  • Online market places
  • Online search engines
  • Cloud computer services

Source: https://data.consilium.europa.eu/doc/document/ST-12205-2017-ADD-1/nl/pdf

I am a digital service provider, what now?

The analysis that leads to the conclusion of whether you have to comply with NIS or not is already a step in the right direction.

However, the real work still has to come: meeting the set deadlines and the accompanying audit (s).

The following step-by-step plan shows you how:

  • Step 1: determine the scope of your digital services
  • Step 2: inventory of the processes that are linked to these essential services
  • Step 3: inventory of network and information systems linked to critical processes
  • Step 4: performing a risk analysis
  • Step 5: development of an information protection policy (cf. ISO27001: 2013)
  • Step 6: implement measures (including the appointment of a DPO)
  • Step 7: audit / certify

It is important in all steps that the starting point of the NIS legislation must be taken into account at all times:

  • Protection of digital services
  • Incident reporting
  • Continuity of digital services

In terms of processes, we mainly think of those who:

  • are directly connected to essential services
  • support the above processes
  • are related to the reporting of emergencies

With the NIS legislation, governments want to raise information security to a higher level. This means that you must watch over:

  • The availability and integrity of information
  • The exclusivity, confidentiality, and security of information

And what if I don’t do anything?

Similar to the GDPR, the NIS law can impose both administrative and criminal fines. These fines can quickly amount to 75,000 euros (multiplied by 8) or a prison sentence of up to two years. Administrative sanctions are also possible up to 200,000 euros.

In addition, the competent authorities have the option to monitor compliance with this new law.

So although the GDPR received more attention than the NIS law, compliance with it will be just as important.

How can Orange Cyberdefense help?

Within Orange Cyberdefense , the Cyber Security Advisory team is responsible for helping organizations with all kinds of governance, risk, and compliance issues. This team starts from the business processes to further fine-tune the typical IT and information security processes. Not only the processes are discussed, but also the human link is taken into account. After all, they form the strongest or weakest link in the chain.

Would you like more information about this NIS legislation? Or do you want guidance in complying with this legislation? My colleague Wim Van Langenhove and I are happy to help you further. You can reach us via expert@orangecyberdefense.com.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.