The Network and Information Systems (NIS) regulations one year on

Nicola Aspinall, Project and Programme Management (P3M) Consultant at Atkins, outlines the changes businesses have had to make to meet the new Network and Information Systems (NIS) regulations and suggests what more needs to be achieved in the future

Strict new laws, known as the Network and Information Systems Regulations 2018 (NIS Regulations), were introduced in May 2018. Their purpose? To protect the NHS, our transport network, our energy and water supplies – and other providers of the UK’s essential services – from the increasing risk of cyber attack. One year on, how are the owners and operators of the infrastructure and technologies that underpin our society ensuring they’re secure?

Understanding the threats to an organisation

As a first step towards compliance, organisations involved in the provision of essential services were required to carry out a self-assessment of their critical systems and processes and identify areas in which security or resilience could be improved. The National Cyber Security Centre (NCSC) created the Cyber Assessment Framework (CAF), which operators of essential services and digital service providers can use as a guide for this activity. They map their security posture against a series of high-level objectives and then interpret the findings to determine if owners and operators are doing enough to protect their assets.

In the past 12 months, many operators have sought the support of engineering and operational technology specialists who can help them develop an in-depth understanding of the risks they face and apply their expert judgement to help the organisation assess how well it’s meeting the requirements of the legislation and balance that with the operator’s appetite for risk. The most effective reviews have focused on more than compliance – they’ve also sought to deliver business benefits.

They’ve developed an improvement plan

To ensure the self-assessment and the wider regulations add value, business leaders need to be prepared to act on the findings. So far, many organisations have put plans in place but making the recommended changes may not be as straightforward. Most operators will need to increase their investment in cyber security, or change attitudes or culture within their firm before they see significant improvements. The question is, will they be able to maintain the momentum that has been created through the introduction of the new legislation in the following few years?

They’re implementing appropriate and proportionate protection

The NIS Regulations don’t include a checklist of what action must be taken to maintain compliance. Instead, they recognise the diversity of organisations that run our critical national infrastructure. This means that owners and operators must manage their risks by implementing ‘appropriate and proportionate security measures’ rather than by ticking a box.

The Competent Authority (CA) will then assess whether the judgements that have been made are reasonable.

The cyber security legislation encourages collaboration and operators should work with their Competent Authorities. CAs have suggested organisations will have time to put new security measures in place, however, they must demonstrate their intention to do this.

They’re embedding strong cyber security throughout their organisations

The introduction of new legislation has raised the profile of cyber security and encouraged senior executives and Board members to invest in initiatives that will create a more resilient organisation. Since May last year, operators have taken the first steps on this journey. Over the coming 12 months, we hope to start to see stronger cyber security practices embedded within their businesses. For example, many organisations celebrate safety milestones. In the future, cyber security milestones could become equally a common place.

Next steps for organisations: Assess, improve, repeat

Organisations that are improving their resilience and ensuring they’ll continue to provide essential services, even in the event of a cyber attack are:

• Engaging fully in the self-assessment process.
• Developing an improvement plan.
• Implementing the appropriate actions.
• Re-assessing their progress.
• Communicating the results to the entire organisation.