The UK agency’s principles-based guidance on cybersecurity for OES adds important detail to NIS Directive obligations.

By Gail Crawford, Mark Sun, Fiona Maclean, and Malika Sajdik

The National Cyber Security Centre (NCSC) has published introductory guidance for operators of essential services (OES) on the new cybersecurity rules under the EU’s Security of Network and Information Systems Directive (NIS Directive). The NIS Directive is the first EU-wide legislation on cybersecurity and must be transposed into member state domestic legislation by 9 May 2018. (Additional information on the NIS Directive, and the UK’s approach to implementation, is available in this blog post.) The NCSC’s guidance, released 28 January 2018, aims to help OES improve their security infrastructure and reduce their likelihood of suffering a cyber incident.

Structure of the guidance

The guidance is principles-based, rather than prescriptive. The NCSC opted for this approach to accommodate an ever-changing cybersecurity landscape. The guidance covers a wide range of topics such as cloud service providers, data security, and supply chain management. In addition, the guidance includes practical examples of effective cybersecurity practices and explains why they are important.

Significance of the guidance

OES will be required to use the principles to assess the robustness of their security operations and to drive continuous improvement. The NCSC indicated that its guidance will be widely applicable and encouraged all sectors to take note of the recommendations. It remains to be seen whether this guidance will evolve into a market practice standard.

Next steps

The NCSC confirmed that it will not have a regulatory role under the NIS Directive’s implementing legislation. Instead, the NCSC will continue to provide technical support and guidance to governmental departments, alongside the Competent Authorities that will be responsible for enforcing the NIS Directive. While the UK has yet to release a draft of the NIS Directive’s implementing legislation, the NCSC’s guidance is a useful starting point for OES to work towards improving their network and security standards.

This post was prepared with the assistance of Caroline Omotayo in the London office of Latham & Watkins.