Inspired by the French military planning law (LPM), the European NIS (Network and Information Security) directive came into force on 9 May 2018. Now that the decree of application in France was published on 25 May, Robert Wakim, Industry Offer Manager at Stormshield analyses the impact of this series of new cyber-protection regulations.
The entry into force of the European NIS (Network and Information Security) directive, voted in July 2016, opens a new page in cyber-protection. This continues the trend of the LPM (military planning law) applied since 2013 in France, the pioneering country in this field.
The experience of the LPM should reassure those concerned. Its adoption went more smoothly than expected according to ANSSI (the French national agency for the security of information systems). Of the 249 OIVs (Operators of Vital Importance) identified, the vast majority defined their SIIV (Information System of Vital Importance) within the three months required after the decrees were published.
However, the LPM is not an end in and of itself; it is the first step in cyber-protection which is by definition cyclical and iterative. This protection requires regular audits to fight new unknown attacks, as shown by the Spectre and Meltdown security flaws.
NIS: protecting vital interests from an economic point of view
In this, the NIS makes a contribution, but its target is different. Whereas the LPM addressed operators of vital importance in case of an attack on national security (for the transport, energy, food, and health sectors, among others), the NIS approaches the issue from an economic standpoint, switching to vital interests more related to problems in sales, patents, etc.
Therefore, the big companies of the CAC 40 and other European indices are concerned. The NIS adds OESs (Operators of Essential Services) to the LPM's OIVs, expanding the scope of actors targeted although some actors are concerned by both.
Note that the European directive also included DSPs (Digital Service Providers) in the system. Not only does the economy increasingly depend on their services located at a critical part of the system where all network flows pass, but they are also in a strategic position to provide information in case of an incident.
EU member states now have until 9 November 2018 to draft the lists of their OESs and DSPs. In France, Guillaume Poupard, Director General of ANSSI, recently spoke at Orange Cyberdéfense's RIAMS (an identity, auditing and security management forum): "The precise number of OESs is not known, but there will likely be several thousand. This list may grow over time, too".
The precise number of OESs is not known, but there will likely be several thousands.
Guillaume Poupard, Director General of ANSSI
While the LPM may be seen as more of a constraint, or at least more precise, regarding the tools to put in place, the NIS highlights the inter-State communication effort through their agencies. Member states without agencies like ANSSI in France or BSI in Germany will be aided by ENISA. Just like for fires, the idea is to intervene as soon as possible to stop the incident from spreading.
On the company side, the LPM decrees that encourage inventories of infrastructure, a map of the network and the identification of critical risks can be useful in preparing for the European directive through an economic prism.
This preparation should rely on three pillars:
- raising awareness of the knowledge of the cyber-security field among all employees without exception with experts present in-house or through sub-contractors
- conducting audits to draft a precise action plan
- choosing the protection products that best meet their needs.
Cyber-security – reliability – competitiveness: the virtuous cycle
The impact of this new regulation should be invisible to the end client. However, companies should see information system security directors move up in the hierarchy as has been the case in certain big companies that have been the victims of cyber-attacks. Since cyber-security impacts the entire company, all new projects must take this aspect into account upstream.
And the last impact but certainly not the least: an improvement in services. Better control of the network allows malfunctions to be detected sooner. We may see fewer cases of unavailable services. Often seen as a cost, cyber-security is, in fact, a competitive advantage. By making the service stronger, you improve its quality. This aspect is all too often neglected!
