The Directive on security of network and information systems (the NIS Directive) requires transposition into European Union Member’s domestic law by May 9, 2018 (definition of an EU Directive). The NIS Directive, adopted in July 2016, entered into force in August 2016. The UK’s National Cyber Security Center (NCSC) published an Introduction to the NIS Directive, which provides an overview on on the application of the NIS Directive; a second web site sets out top level objectives of the NIS Directive. Objectives guidance on managing security risks, protecting against cyber attack, detecting cyber security events, minimising cyber security event impacts, examples of supply chain cyber attacks, assessment of supply chain practices, and the 12 principles of supply chain security are posted on the NCSC website. The NSCS also published an Introduction to identity and access management. The Cyber Assessment Framework (CAF) will be published by the end of April 2018. A table setting out the 14 NIS principles together with related guidance and objectives was updated in March 2018. There are a number of infographics covering various topics concerning cyber security and a glossary of terms. You may read the consultation related to the NIS Directive, which is now closed for further detailed information and guidance on applicability of the NIS Directive to your company or business. The NIS Directive applies to “operators of essential services” and “digital service providers.” Essential services operators are designated by member state governments. Digital service providers include online marketplaces, search engines, and cloud computing services. Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 established rules for application of the NIS Directive to digital service providers and incident reports. The UK implemented the NIS Directive through The Network and Information Systems Regulations 2018 on 10 May 2018. The NIS Directive addresses security requirements or goals as well as incident reporting together with possible implementation of fines or penalties as determined by EU member governments. The Directive works together with the GDPR Regulation and is, generally, part of the overall EU regime on data security, privacy, and the single digital market. www.erskine-law.com
If your business operates online, then your business/company should seriously address cybersecurity issues. The Small Business Administration (SBA) dedicates a page describing and linking to “Top Tools and Resources for Small Business Owners”. The page features links to fact sheets, webinars, online courses, and other federal agency resources. One such resource derives from the Federal Communication Commission (FCC) that provides and generates, through an interactive web site, a Small Biz Cyber Planner that a company may use to “create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns.” There is also a link to the Department of Homeland Security’s Cyber Resilience Review (CRR), “…a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices.” The CRR page contains a number of downloadable forms and resource guides. An additional SBA webpage contains their “Social Media Cyber-Vandalism Toolkit”, which
…provides guidance and security practices to small businesses using these tools in their online operations. Suggestions and resources prepare users to respond to cyber-hijacking, and will empower digital users to make informed choices and enact future policy.