In a previous blog, we briefly described the European NIS directive, and the impact it has on companies and public institutions (in this blog called: organizations).
In this blog, we zoom in on the “Digital Service Providers.” Let us start with the definition of Digital Service Providers or providers of digital services:
Article 4, point 5, which defines the “digital service,” refers to the legal definition in point (b) of Article 1 (1) of Directive (EU) 2015/1535, by constricting the scope to the types of services listed in Annex III. In point (b) of Article 1 (1) of Directive (EU) 2015/1535, this service is defined as “any, usually remunerated service that Is performed, by electronic means, remotely and upon individual request for a recipient of services” and in Annex III of this Directive, three specific types of services are listed:
Source: https://data.consilium.europa.eu/doc/document/ST-12205-2017-ADD-1/nl/pdf
The analysis that leads to the conclusion of whether you have to comply with NIS or not is already a step in the right direction.
However, the real work still has to come: meeting the set deadlines and the accompanying audit (s).
The following step-by-step plan shows you how:
It is important in all steps that the starting point of the NIS legislation must be taken into account at all times:
In terms of processes, we mainly think of those who:
With the NIS legislation, governments want to raise information security to a higher level. This means that you must watch over:
Similar to the GDPR, the NIS law can impose both administrative and criminal fines. These fines can quickly amount to 75,000 euros (multiplied by 8) or a prison sentence of up to two years. Administrative sanctions are also possible up to 200,000 euros.
In addition, the competent authorities have the option to monitor compliance with this new law.
So although the GDPR received more attention than the NIS law, compliance with it will be just as important.
Within Orange Cyberdefense , the Cyber Security Advisory team is responsible for helping organizations with all kinds of governance, risk, and compliance issues. This team starts from the business processes to further fine-tune the typical IT and information security processes. Not only the processes are discussed, but also the human link is taken into account. After all, they form the strongest or weakest link in the chain.
Would you like more information about this NIS legislation? Or do you want guidance in complying with this legislation? My colleague Wim Van Langenhove and I are happy to help you further. You can reach us via expert@orangecyberdefense.com.