The new Network and Information Security (NIS) Directive which has just come into force is aimed at rising cybersecurity among operators of essential services, but it could also have significant implications for their suppliers.
The directive, which aims to raise the overall level of cybersecurity across the EU, places significant emphasis on supply chain risk management.
After all, if a key supplier to a major telecoms or transport organisation is hit by a cyber-attack it could also impact on the essential service they provide.
The recently published first version of the Cyber Assessment Framework (CAF), which aims to help UK organisations track their progress against NIS, highlights how the directive’s net casts much wider than just the key operators themselves.
It stresses how OES need to understand and manage the risks to the networks and information systems which underpin essential services from their dependencies on external suppliers.
Indicators of good practice
The framework highlights a number of indicators of good practice including the need for OES to have a deeper understanding of the supply chain, including sub-contractors, and the wider risks faced.
Factors which should be taken into account include areas such as the supplier’s partnerships, competitors, nationality and other organisations with which they sub-contract to inform risk assessment and procurement processes.
The guidance says OES should also have confidence that information shared with suppliers that might be essential to the essential service is well protected.
As well as the supply chain risk management requirements placed on OES, the suppliers, will increasingly be expected to demonstrate the robustness of their cyber-security approach to an OES through compliance to standards such as Cyber Essentials and ISO27001.
NIS and GDPR
Organisations which have implemented an Information Security Management System (ISMS) against a standard such as ISO 27001 will be in a good position for NIS compliance as they will have already have analysed risks against their network and information systems, implemented controls to minimise those risks and be continuously improving their ISMS to meet business objectives.
Businesses and organisations can also benefit from information security strategies which ensure they comply with the requirements of both NIS and GDPR.
While their focus is different - with NIS targeting operators of essential services and the GDPR concerned with protecting personal data - both require organisations to adopt risk-based security measures as well as report incidents in case of breaches.