There’s another deadline in May that needs to be paid attention to – the NIS Directive. Credit: Thinkstock Everyone in the security world is talking about the EU’s General Data Protection Regulation (GDPR), and rightly so. GDPR is almost in full force, supplanting the older (and some will argue, out of date) EU Data Protection Directive (DPD). I don’t think regular readers of security news need to be reminded of the severity of penalties that the EU can levy against negligent misuse and abuse of EU citizens’ data.But there’s another deadline in May that needs to be paid heed. While GDPR primarily deals with data and how it is used, the NIS Directive is “the first piece of EU-wide legislation on cybersecurity.” The directive was adopted in July 2016 and the European Parliament gave EU Member States 21 months to adopt the directive into their respective state laws, and another half a year to identify the organizations, both public and private, that must adhere to the directive.Earlier this week the UK announced how they plan to adopt the NIS Directive and some of the measures organizations must make to ensure compliance with the directive. The NIS Directive was designed to focus on key critical portions of Member States’ information technology infrastructures – sectors like public utilities, power generators, transportation providers, and organizations providing healthcare for the public – all the basic services a nation needs to operate today. The NIS Directive considers each of these sectors as “Operators of Essential Services,” or OESs.While currently the NIS Directive only applies to the OESs, the UK’s National Cyber Security Centre (NCSC) recommends that everyone should pay the directive heed. It’s clear this new directive was pushed forward after the substantial impact many attacks have had in recent years on public infrastructure and essential utilities. WannaCry’s disproportionate impact on the networks of the National Health Service (NHS) is clearly not being forgotten by the NCSC. The NCSC itself understands how complex and difficult it will be to prepare for any and all cyber-related eventualities, and because of this, the guidelines being provided are intentionally vague. In practice, this gives OESs significant freedom and latitude to design, build, and monitor their unique infrastructures in the ways they deem best. Will that be enough?The top-level objectives of the directive are pretty straight forward: Each organization needs to adequately and appropriately manage security risk.Each OES needs to have “proportionate” security infrastructure to protect their assets from attack.They must have the ability to monitor the effectiveness of their defences and to detect security incidents.They must also be able to minimize the severity of incidents and be able to restore services if an attack succeeds in affecting the availability of critical services.Failure to comply can lead to fines as large as £17M ($24M USD). But the fines themselves seem to be a last resort for the UK after continued failure by OESs to improve and learn from incidents. It appears there is going to be a lot of assistance provided to organizations by Her Majesty’s government, which will be a boon for many organizations that may have fallen behind on cybersecurity obligations. Though, I find this method to be a double-edged sword. Being pragmatic in understanding that breaches and incidents are going to happen and allowing organizations the ability to learn and improve from them is great. Yet at the same time, the lack of sharp teeth ready to take a giant financial bite out of an organization may give some the false sense that punitive enforcement is just a paper tiger. I guess we shall see if it is enough.The biggest take away for any organization, even if you aren’t an OES, is that we are entering a new period of regulatory enforcement of cybersecurity-related issues. This is likely just the beginning, and I would not bet against seeing more and more similar rules being adopted all over the globe as things like GDPR and the NIS Directive claim their first sets of penalties. Thankfully, if you’re already thinking about how to comply with GDPR, there will be a significant amount of overlap between the two obligations and in many cases, you will be able to kill two birds with one stone.But just like GDPR, organizations are going to need to shine some very bright flashlights under the bed to coax out all the monsters hiding under there – before some sharp teeth decide to take a chomp or two. Related content opinion For endpoint security, trust but verify Your organization might eventually fall victim to a data breach but creating checks and balances to maintain a layered data security approach can help you come out the other side with fewer losses. By Richard Henderson Apr 11, 2018 6 mins Technology Industry Data and Information Security Endpoint Protection opinion What to do about internet-connected toys? The allure of interactive, intelligent companions for our children is real, and perhaps unavoidable in the long term. It's best to tread lightly and slowly. By Richard Henderson Dec 21, 2017 3 mins Smart Home Consumer Electronics opinion The power of a single insider – lessons from Twitter A recent Twitter incident should be a great reminder for others on how one single person inside your organization can cause a significant incident with a lot of public exposure. By Richard Henderson Nov 03, 2017 3 mins Backup and Recovery Data and Information Security Social Networking Apps opinion Why DEF CON still matters 25 years later Hackers from around the globe are converging in the Nevada desert to celebrate DEF CON's 25th Anniversary. By Richard Henderson Jul 25, 2017 4 mins Events Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe