Robin Oldham
Head of Security Advisory & Technical Services

Not GDPR – the other Directive you need to know about

There’s been an awful lot written, said and done recently about GDPR, and all the noise is at least partly justified: It affects the majority of businesses and organisations, there’s a hard deadline for compliance, and the penalties for getting it wrong sound really rather spectacular.

However, another Directive is making its way into law in the UK shortly that business in Britain and America need to be aware of. Whilst the scale of organisations impacted by this is much smaller than that of those processing our personal data, by definition these providers of critical services are equally as import to each and every one of us as citizens.

The NIS Directive targets organisations that provide Critical National Infrastructure. That’s utilities like water, transport, telecommunications and digital services and healthcare. This directive includes the prospect of a serious penalty for organisations found significantly lacking.

The UK and other EU nations will adopt the EU Network and Information Services Directive (NIS) for infrastructure providers to defend against and report attacks in May this year. The UK Government has confirmed that any exit from the EU will not affect this legislation and regulatory regime.

The good news is that, in pretty much every case, the Directive promotes best practice. It should be treated as an opportunity to review measures already in place, and, if need be, update, extend and make right any potential gaps.

The NIS Cyber Assessment Framework will be released April, but the high level principles have been published.  The principles set out what the Government is looking for, from governance, through to supply chain and pro-active security monitoring and maintain an incident response regime to separate reporting procedures to relevant authorities of breaches and incidents. It can be used as a checklist to ensure your organisation is on the right track. I’ve picked out a few highlights from the list.

Security Monitoring

To meet the Security Monitoring and Proactive Security Event Discovery requirements of the Directive, it’s worth looking for the following services. If you don’t have them in-house, then a competent managed security service provider can deliver them:

  • Intelligence led and threat focused detection and response
  • Proactive threat hunting for insider and external threats
  • Industry leading detection analytics
  • Accuracy and speed of response through machine accelerated human decisions
  • Complete infrastructure coverage from endpoint to cloud
  • Access to The latest technology techniques and processes with the support of experienced experts
  • All delivered from a dedicated Security Operations Centre staffed around the clock

 Incident Response

The requirement for Response and Recovery Planning should fit into your organisation’s existing plans and best practice. When a successful cyber attack hits your network and business processes, an effective cyber incident response team will help you meet the requirements for Response and Recovery Planning.

Supply Chain Assurance

The legislation will require you to understand and manage security risks within your supply chain that may harm the essential services you provide. It’s vital to identify your critical suppliers, conduct a proportionate level of assessment, and manage and remedial activities in a manner that focuses on outcomes.


If looking through the NIS Directive gives you the impression that you’re looking at a common sense checklist for businesses that both deliver vital services to the country and make attractive cyber targets, you’re not alone. Some requirements may seem onerous at first glance, but they also build the foundation for a resilient organisation. Even if your business doesn’t provide a vital national service, it’s worth spending a little time looking through the principles.