EU GDPR vs NIS Directive
As said above, while the EU’s General Data Protection Regulation (GDPR) is a privacy directive focused on organizations that collect personal data, the NIS Directive (NISD) is focused on strengthening operational resilience of organizations. Specifically, the directive applies to organizations that provide services in critical infrastructure sectors (i.e. Energy, transport, banking & financial, water, health sector, digital infrastructure etc.). Although the directive is already into force, the effects of the new laws will be revealed by the end of 2018. It is important to note that the NIS Directive applies to all EU member states in its entirety. Specifically, by May 9, 2018, all EU member states had to incorporate NIS Directive into their national laws and by November 9, 2018 they have to identify the operators of essential services.
Of course, substantial financial penalties will be imposed in case of non-compliance; each EU member state will decide with respect to penalties and deadlines. Organizations outside the EU, that have operations in EU member states, will be also affected by the new law.
NISD focuses on operational resilience
Operational resilience is a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification.
This Directive requires risk assessment, vulnerability detection and management and incident response processes for operators of critical services as per below
- an entity provides a service which is essential for the maintenance of critical societal and/or economic activities
- the provision of that service depends on network and information systems
- an incident would have significant disruptive effects on the provision of that service.
Three major requirements of the NISD
- A national security strategy: EU Member States should prepare a complete plan by establishing a solid governance framework, performing awareness and training programs, implementing research and development plans etc. Each State should designate a national competent authority and a single point of contact to keep track of compliance.
- A Cooperation Group and a CSIRT network: A Cooperation Group should share best practices and lead CSIRTs of Member States, while the CSIRT network will be a group of national CSIRTs that will work together with the Computer Emergency Response Team for EU agencies (CERT-EU) to maintain the security of critical services and prevent or mitigate cyberattacks.
- Cyber security requirements & incident reporting: The Directive notes that operators of essential services and digital service providers should have appropriate technical and organizational measures to manage the cyber risks. Furthermore, ensuring the continuity of services as well as minimizing any impact of a security incident should be among the operators’ top priorities.
Which are the opportunities of the NISD in maritime
NISD should be viewed as means by which to bring harbor authorities, port operators, passenger and freight transport organizations up to speed with the modern digital world. Operators, in order to take advantage of the new directive, should:
- Build a cyber resilient culture
- Enhance supply chain trust and resilience
- Ensure cyber insurance