National Cyber Security Centre Releases NIS Directive Guidance

Gail Crawford, Fiona Maclean, Mark Sun
Latham & Watkins LLP
Contact
LinkedIn
Facebook
X
Send
Embed

[co-author: Malika Sadjik]

The UK agency’s principles-based guidance on cybersecurity for OES adds important detail to NIS Directive obligations.

The National Cyber Security Centre (NCSC) has published introductory guidance for operators of essential services (OES) on the new cybersecurity rules under the EU’s Security of Network and Information Systems Directive (NIS Directive). The NIS Directive is the first EU-wide legislation on cybersecurity and must be transposed into member state domestic legislation by 9 May 2018. (Additional information on the NIS Directive, and the UK’s approach to implementation, is available in this blog post.) The NCSC’s guidance, released 28 January 2018, aims to help OES improve their security infrastructure and reduce their likelihood of suffering a cyber incident.

Structure of the guidance

The guidance is principles-based, rather than prescriptive. The NCSC opted for this approach to accommodate an ever-changing cybersecurity landscape. The guidance covers a wide range of topics such as cloud service providers, data security, and supply chain management. In addition, the guidance includes practical examples of effective cybersecurity practices and explains why they are important.

Significance of the guidance

OES will be required to use the principles to assess the robustness of their security operations and to drive continuous improvement. The NCSC indicated that its guidance will be widely applicable and encouraged all sectors to take note of the recommendations. It remains to be seen whether this guidance will evolve into a market practice standard.

Next steps

The NCSC confirmed that it will not have a regulatory role under the NIS Directive’s implementing legislation. Instead, the NCSC will continue to provide technical support and guidance to governmental departments, alongside the Competent Authorities that will be responsible for enforcing the NIS Directive. While the UK has yet to release a draft of the NIS Directive’s implementing legislation, the NCSC’s guidance is a useful starting point for OES to work towards improving their network and security standards.

This post was prepared with the assistance of Caroline Omotayo in the London office of Latham & Watkins.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Latham & Watkins LLP

Written by:

Latham & Watkins LLP
Latham & Watkins LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide