The Network and Information Systems Regulations (NIS Regulations) came into force on the 10th May 2018. The aim of the Regulations is to establish a common level of security for network and information systems for organisations that operate within the UK Critical National Infrastructure (CNI). As we enter the latter half of 2019, what has been the effect of the NIS Regulations?
How has NIS Impacted OESs?
Under the NIS Regulations, Operators of Essential Services (OES) are defined as organisations responsible for providing critical systems. For those organisations designated as an OES, the last year has seen them completing the Cyber Assessment Framework (CAF), and identifying to their relevant Competent Authorities (CA) where they stand in terms of alignment to the Regulations. Needless to say, the last year has been quite active for OESs – but what are the effects of the NIS Regulations on an OES supply chain?
What’s the real impact of NIS on OES supply chains?
For organisations who supply a pivotal service to an OES, the immediate impact of the NIS Regulations has been minimal, and I have even heard of talk around the NIS Regulations being ‘scare mongering’. Many corporate boards are in a state of compliance fatigue following the introduction of General Data Protection Regulation (GDPR), and were no doubt thankful that they are not an OES. That could well be about to change!
As the NIS Regulations do not apply directly to the supply chain of an OES, it is the responsibility of the OES to put in place appropriate and proportionate cyber security countermeasures with their suppliers. The last 12 months has seen OESs taking an introspective approach to the NIS Regulations as they deploy internal compliance measures hot on the heels of GDPR. At best an OES considered its existing supply chain when compiling its response to Section A.4 of the CAF. Now we are starting to finally see demands for assurance in respect of cyber security included in requirements for tenders.
Despite working with many organisations who provide critical services to an OES, it is only in the last month that requests have been made by those clients for assistance in providing assurance to OESs. The NIS Regulations are now appearing in tender documents and in supplier review processes. What does that mean for an organisation aspiring to secure a lucrative contract with an OES?
How can suppliers better position themselves?
Postponing cyber security assurance activities until after a Request for Proposal (RFP) lands will result in an uphill struggle to win the business. Demonstrable compliance to cyber security standards, such as Cyber Essentials and the ISO/NIST series, requires investment in time and resource. It is simply not feasible to put the necessary processes in place in the short window that an RFP permits. Unfortunately, many are leaving it until the requirement is concrete. Those that act now will stand to reap the rewards as OESs include cyber security compliance as a mandatory component of contractual terms. To act now, suppliers should aim to take an independent review of their security compliance gap to NIS Regulations, with the overall objective of enhancing their compliance in line with the requirements from OESs.