How the right approach to the NIS Directive will drive both cyber and operational resilience

24 August 2018


by Andrew Miller Partner - Cyber Security Government & Health Industries


by James Hunt Senior Manager

Email +44 (0)7701 296796

Organisations in critical infrastructure sectors such as energy, utilities, transport, health and digital services are experiencing disruption from a range of digitalisation and automation technologies, and as a result of this disruption it often brings with it increased risks. In this blog, we discuss the importance of the NIS Directive in ensuring disruption is met with operational and cyber resilience, as well as the steps that need to be taken to clearly understand, implement and demonstrate compliance.

Linking cyber risks with safety risks

These organisations, known as ‘Operators of Essential Services’ (OESs) and ‘Relevant Digital Service Providers’ (RDSPs), need to be able to link cyber security risk with safety risk assessment processes in order to quantify the safety consequences of a cyber threat or vulnerability. Only by implementing security and privacy by design and ensuring safety will these organisations obtain and sustain the public’s confidence. Additionally, without establishing a common cybersecurity framework, substantiating the safety and security of future systems will remain extremely difficult, and potentially dangerous.

What is the NIS Directive and why is this important?

To address this, the UK government transposed the EU Network and Information Systems (NIS) Directive into UK Law on the 10th May 2018, as part of plans to make Britain’s essential networks and infrastructure safe, secure and resilient against the risk of future cyber attacks.

The NIS Directive requires OESs and ‘Relevant Digital Service Providers’ (RDSPs) to:

  • Take appropriate and proportionate security measures to achieve the outcomes set out by the 14 NIS principles
  • Notify the relevant national authorities of serious incidents and events

As with the GDPR, the NIS Directive imposes strict sanctions; organisations who fail to implement effective cyber security measures could face significant fines and cause reputational damage. The government wants to encourage a collaborative and proactive approach between the OESs and the regulatory authority required to enforce the directive, referred to as ‘Competent Authorities’ (CAs) (e.g. Ofcom, CAA, DfT, and Ofgem), so that both parties can be assured that the OESs are effectively managing their cyber security risks within their industry.

So what are the upcoming timelines now this has been implemented? In November 2018, CAs will produce further detailed sector specific guidance, intended to reflect the unique circumstances of each sector, and which will be prepared in consultation with designated OESs and with the support of the NCSC.

What should these organisations be doing?

OESs and RDSPs will need to demonstrate compliance against the cross-sector guidance produced by the NCSC, called the Cyber Assessment Framework (CAF). This includes:

  • Identifying in-scope network and information systems
  • Achieving the outcomes set out by the 14 NIS principles
  • Reporting security incidents ‘without undue delay’

Where new guidance is produced moving forwards, OESs should be given enough time to incorporate the new guidance into their risk management and security measures.

Seek help from specialists in cyber and business risk advisory

We understand the level of ambiguity and complexity that organisations are going through when needing to incorporate the NIS Directive into their risk management programmes, particularly when attentions have to be simultaneously turned to other sector- and region-specific regulations.

PwC is working with organisations throughout their NIS transformation journey to:

  • Help understand their level of cyber security maturity
  • Identify their security and compliance gaps and putting these into context with their board-level risks
  • Prioritise and implement a roadmap to compliance
  • Demonstrate operational and cyber resilience

To find out more about how we can help you to alleviate the pressures of the NIS Directive and focus on driving strategic success, please click here or contact our seasoned experts below:

by Andrew Miller Partner - Cyber Security Government & Health Industries


by James Hunt Senior Manager

Email +44 (0)7701 296796