The NIS (Network and Information Systems) Regulations 2018 applied to two main groups: OES (operators of essential services) and DSPs (digital service providers).
At that time, the NIS Directive applied to OES in the following sectors:
- Energy – electricity, oil and gas.
- Transport – air, rail, water and road.
- Health – healthcare settings (including hospitals, private clinics and online settings).
- Water – drinking water supply and distribution.
- Digital infrastructure – TLD (top-level domain) name registries, DNS (domain name systems) service providers and IXP (Internet exchange point) operators.
OES have stricter security requirements than DSPs because of the higher risks they typically face and the fact that service interruptions would have more severe consequences. As such, OES are more actively monitored and subject to audits by their regulators (known as ‘competent authorities’).
New legislative proposals, concluded in December 2020, confirms that the NIS Directive is to be revised to increase the levels of resilience in many more sectors, now including
- Providers of communications and social networking platforms and data Centres
- Waste Water
- Manufacturing in specific sectors (Pharma, Medical Devices, Chemicals)
- Post & Courier services
- Public service administration
The widely held view is that despite the UK having formally left the EU now, unless there is a significant change of direction to that already indicated, the NIS directive will continue to apply.
France was the first country to regulate an effective and mandatory cybersecurity system for critical infrastructures. The French Military Programming Law French LPM is the origin of the European Directive on security of Network and Information Systems
This system made it possible to identify the Operators of Vital Importance (OVI), private and public, who operate or use installations deemed essential for the survival of the Nation and established a set of standards for all operators and manufacturers.
To further re-enforce these laws and directives, The European Cybersecurity Act (in force since June 2019) strengthened the role of ENISA: the agency now has a permanent mandate and is empowered to contribute to stepping up both operational cooperation and crisis management across the EU. ENISA now also has larger financial and human resources than earlier. It also provides the definition of a European cybersecurity certification framework, essential to strengthen the security of the European digital single market.
- From the French law derived and taken from the NIS Directive, the 8th point is dedicated to the ‘cloisonnement’, meaning segregation.
Seclab ‘Electronic Airgap’ Technology was designed to these standards to protect network (Sec-XN) or USB (Sec-XU) by segregating each area. Since 2014, we have specialized in the protection of critical and strategic infrastructures. We have customers around the world in strategic business sectors including nuclear power generation, oil, railways, and many others.
To find out more Compliance – Seclab (seclab-security.com)