NIS Directive and BCM

The “EU-NIS Directive (NIS = Network Information Security) is being (or already has been) transposed into country laws.

The legislation mainly applies to “Essential Service Providers” (“ESP’s”) as well as Digital service providers. These service providers (to be designated by the countries’ authorities) will also need to be compliant.

Europe is aiming for a high and common level of security of network and information systems for all ESP’s because they are so important for the security and economy of a country.

The “EU-NIS” does not apply directly to the AEDs, but to the Member States themselves who implement the EU-NIS through national legislation.

Each Member State therefore introduces technical and organizational obligations that can be considered as “minimum standards”.

WHY CAN NIS BE IMPORTANT FOR YOUR ORGANIZATION?

First, your organization can itself be a provider of essential services. After all, it concerns sectors such as: utilities in general (energy, transport, gas, supply and distribution of drinking water), banking (although with many exceptions), infrastructure and service providers for the financial market, healthcare (hospitals) and digital service providers.

It is also possible that your organization has interactions with the provider(s) of essential services. In many cases, such an organization will demand the same level of safety from its partners and suppliers. (This is be- cause the AEDs have reporting obligations in case of incidents, so, for those reasons, their major suppliers are involved).

It is also possible that your organization may wish to comply with the principles of EU-NIS for other reasons on its own initiative.

HOW DOES BUSINESS CONTINUITY MANAGEMENT FIT INTO THE NIS STORY?

The NIS irrefutably requires Member States to ensure that providers of essential services take appropriate measures to prevent and minimize the effects of incidents that affect the security of the network and information systems used to provide those essential services to guarantee the continuity of these services.

The goal of this guideline is of course to prevent or limit incidents. This must ensure that the continuity of the service provider is assured.

Continuity management (Business Continuity) is dealt with explicitly 14 times and has therefore become an unmistakable element in what is (from now on) legally regarded as “good security”.

HOW DOES RISK MANAGEMENT FIT INTO THE NIS STORY?

Not only the continuity of a company is discussed, but also the risks to which it can be confronted. Although the risks are not explicitly listed (this would be impossible given the sector specificity), these are cyber risks, physical risks, etc.). The “pallet” of risks is therefore broad and non-exhaustive.

The AEDs are required to detect, manage and handle risks through measures including Business Continuity Management. Again, we see that business continuity, factually and legally, is a good practice.

HOW DOES DATA PROTECTION FIT INTO THE NIS STORY?

The EU-GDPR (AVG) clearly state that any incident (of a technical or non-technical nature) may involve an infringe- ment if they involve risks for those involved (the data subjects). In other words, losses or unavailability of personal data can be considered as a possible infringement.

The incidents or events that give rise to a GDPR infringement can also cause a NIS infringement. Handling such incident or event can therefore be carried out simultaneously, from a NIS point of view, but also from an EU-GDPR point of view. The same principle applies about reporting obligations.

WHICH SOLUTION CAN WE OFFER YOU?

RealBCP is a comprehensive business continuity tool (& method), when you apply it you will directly contribute to NIS compliance as well as EU-GDPR compliance. (RealDPG is available for EU-GDPR compliancy building).

In addition to the numerous benefits of RealBCP, we also provide:

  • 5 methodical points of contact between EU-GDPR and Business Continuity.
  • Compliance with the mandatory ISO22301 documents.
  • Compliance with the ISO27001 obligations regarding the continuity of information risk management.
  • Full “mapping” of ISO27001 / ISO22301 / EU-GDPR / EU-NIS, which makes your contributions clear and simple.

In short, when you use RealBCP, you effectively contribute to the NIS compliance of your organization.
If you have any questions, we are happy to give you answers.