The NIS Directive – just how tough is it really?

Over the last few months, UK media outlets have been filled with reports about the series of tough new measures being introduced on 9th May to protect our national critical infrastructure against cyber threats. In January, the government confirmed that UK critical infrastructure organisations may soon be liable for fines of up to £17m if they fail to implement robust cyber security measures, under its plans to implement the EU’s Network and Information Systems (NIS) Directive. But despite the tough talk, are the current proposals as rigorous as they sound?

In January, the government published its plans to implement the NIS Directive into UK law, following a public consultation. But despite the punitive penalty system, the response avoided making any hard recommendations and instead relies on a high level “appropriate and proportionate technical and organisational measures” regulatory approach of deferring responsibility to the National Cyber Security Centre (NCSC) and the Competent Authorities. Looking to the NCSC guidance, the series of measures it outlines are heavily weighted on reactive attack reporting rather than advising organisations on how to better shore up their perimeter with proactive defence solutions. As an example, within the guidance organisations are asked to define their own risk profile, and then prove their resiliency against that profile – the equivalent of being graded on a test you wrote yourself.

In this light, it’s unclear how the opportunity to set out a framework of minimum standards for CNI can be effectively achieved with the NIS Regulations. If the intended outcome is genuinely tied to resilience against cyber-attacks, then these essential services should be required to remain available during all but the most extreme cyber-attacks. The outcome described in the guidance points to merely the proper disclosure of failed protection and the swift recovery from that failure. My concern remains that implementation of the NIS Directive will be viewed as a mere “tick box” exercise which requires the bare minimum to be done, rather than allowing the UK to set world-leading standards in this area.

As a UK citizen, I fear that our government is failing to deliver on the promises outlined in its Digital Strategy, which pledged to make the UK “the safest place in the world to live and work online.” This is all deeply concerning, especially given that Ciaran Martin, the head of the NCSC, warned in January that it was a matter of “when, not if” the UK faces a major cyber-attack that might cripple infrastructure such as energy supplies or the financial services sector. Across all parts of critical national infrastructure, we are seeing a greater number of sophisticated and damaging cyber threats which are often believed to be the work of foreign governments seeking to cause political upheaval. Last year’s DDoS attacks against the transport network in Sweden caused train delays and disrupted travel services, while the WannaCry ransomware attacks last May demonstrated the capacity for cyber-attacks to impact people’s access to essential services. Only this month, we have seen a surge in record-breaking DDoS attacks that exploit the Memcached vulnerability.

As the draft NIS Regulations become UK law, we have a golden opportunity to improve the UK’s cyber security posture. Let’s hope we can still seize this moment and build an eco-system that genuinely protects our critical infrastructure against today’s cyber-attacks.