Guest blog: Gemserv - Think NIS doesn’t affect you? Think again

The new Network and Information Security (NIS) Directive which has just come into force is aimed at rising cybersecurity among operators of essential services, but it could also have significant implications for their suppliers.

The directive, which aims to raise the overall level of cybersecurity across the EU, places significant emphasis on supply chain risk management.

After all, if a key supplier to a major telecoms or transport organisation is hit by a cyber-attack it could also impact on the essential service they provide.

The recently published first version of the Cyber Assessment Framework (CAF), which aims to help UK organisations track their progress against NIS, highlights how the directive’s net casts much wider than just the key operators themselves.

It stresses how OES need to understand and manage the risks to the networks and information systems which underpin essential services from their dependencies on external suppliers.

Indicators of good practice

The framework highlights a number of indicators of good practice including the need for OES to have a deeper understanding of the supply chain, including sub-contractors, and the wider risks faced.

Factors which should be taken into account include areas such as the supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract to inform risk assessment and procurement processes.

The guidance says OES should also have confidence that information shared with suppliers that might be essential to the essential service is well protected.

As well as the supply chain risk management requirements placed on OES, the suppliers, will increasingly be expected to demonstrate the robustness of their cyber-security approach to an OES through compliance to standards such as Cyber Essentials and ISO27001.


Organisations which have implemented an Information Security Management System (ISMS) against a standard such as ISO 27001 will be in a good position for NIS compliance as they will have already have analysed risks against their network and information systems, implemented controls to minimise those risks and be continuously improving their ISMS to meet business objectives.

Businesses and organisations can also benefit from information security strategies which ensure they comply with the requirements of both NIS and GDPR.

While their focus is different - with NIS targeting operators of essential services and the GDPR concerned with protecting personal data -  both require organisations to adopt risk-based security measures as well as report incidents in case of breaches.


We're at #Lab18 chatting about the role of autonomous vehicles in #DrivingtheFuture. Come take part in the debate!…
Did you know that many businesses haven't gone #digital yet? Join us at our #Lab18 event where we tackle the issue…
techUK Deputy CEO @techUKdepCEO comments on PM Statement saying UK and EU "must commit to finding a solution that a…
Get ready for techUK’s Cloud Week! From Monday, we’ll be hosting a week of guest blogs, podcast interviews, press…
#supercharging18 in Manchester on 18 Oct, will explore the ways #digital increasingly underpins Britain’s #economy.…
Hear from @techUKCEO at the FutureTech Festival in December this year #GREATforCollaboration
What makes a 'good' Digital Board? Read more about our new report from SmarterUK in @ComputerWeekly
Delighted to see @techUK Health and Social Care Council Member @AndreasHT is on the panel