AbleToTrain by Willing & Able

NIS Directive – Step-by-step Guide for companies – part 2

What obligations do you have according to NIS?

As an essential service operator (OSE) and/or digital service provider (FSD), you have the following obligations under the NIS Directive and implicitly under national laws to maintain the security of networks and information systems:

  1. To achieve the minimal security standards, implement appropriate and proportionate technical and organizational measures.

These minimum security requirements relate to:

  • access rights management;

  • user awareness and training;

  • journaling and ensuring the traceability of activities within computer networks and systems;

  • testing and evaluating the security of computer networks and systems;

  • management of network and computer systems configurations;

  • ensuring the availability of essential services and the functioning of computer networks and systems;

  • management of the continuity of the operation of the essential service;

  • user identification and authentication management;

  • incident response;

  • maintenance of computer networks and systems;

  • management of external memory media;

  • ensure the physical protection of computer networks and systems;

  • implementation of security plans;

  • ensuring staff security;

  • risk analysis and assessment;

  • ensuring the protection of products and services related to computer networks and systems;

  • Vulnerability management and security alerts.

  1. Implement appropriate actions to avoid and mitigate the impact of incidents compromising the security of networks and information systems used to provide critical services, in order to ensure that those services remain available.

  1. Establish a permanent point of contact and assign responsibility for monitoring the point of contact to individuals responsible for network and computer system security.

  1. To ensure prompt reaction to incidents, to restore service functioning to pre-incident settings as quickly as possible, and to conduct a security audit.

  1. To connect to CERT-alert RO’s and cooperation service within 60 days of registration in the Register of essential service operators, to ensure permanent monitoring of alerts and requests received through this service or through other contact methods, and to take appropriate response measures as soon as possible at the level of its own networks and information systems.

In addition to all of these technological concerns, whether your organization is an essential service operator or a digital service provider, you must submit all types of information to CERT-RO, including any events that have had a major impact on the firm’s vital services continuity. At the same time, you must be subject to CERT-RO controls to determine your level of compliance with the law’s requirements.


What technical rules do you have to follow? List for OSE

Your organization must protect four areas of security, according to the Technical Rules on Minimum Requirements for Network and Information Systems Security for Essential Service Operators:

  1. Governance-refers to the creation and execution of security policies at the organizational level, and is the responsibility of the company’s senior management.

  1. The necessity to safeguard the security of networks and computer systems is referred to as protection. We’re talking about managing and maintaining resources, networks, and computer systems, as well as regulating access to computer networks and system aspects and components.

  1. The necessity to ensure the management of security issues is referred to as cyber defense. How does your firm identify occurrences that compromise network and computer security? What is your strategy for dealing with them?

  1. The management of the continuation of critical services offered, or, in other words, business continuity, is referred to as resilience. In this regard, you should ask yourself how to handle crisis circumstances such as natural catastrophes. What do you do if a security event has a significant effect on critical services?

The four security areas are separated into categories of security activities, and security measures are constructed for each of them with one or more security criteria, which are followed by control indicators.

In order to comply with security regulations, OSE businesses must:

  • identify risks if they do not implement security requirements;

  • to plan the activities underlying the implementation;

  • to establish those responsible for their realization.

Returning to the technical rules, we will just discuss the governance element in this article, and we will go into further detail on the other parts in future articles.