6 takeaways of the NIS regulation

So, we already learned from Youri’s blog that we are not just looking for good recommendations to stay in Serbia.

Once we researched the right NIS (The Security of Network & Information Systems Regulations), I found that these were the 6 main takeaways for me:

  1. It’s a directive, not a regulation.
    • Just reading the directive itself is not enough. Since it’s a directive, all member states’ governments have to implement their own laws regarding the NIS.
    • Belgium approved a preliminary draft law, but there is no final version yet.
  2. The main goal is to set minimum standards for cybersecurity preparedness
  3. It’s not applicable to all companies. The NIS is only applicable to Digital Service Providers and Operators of Essential Services (aka critical infrastructure providers):
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Health sector
    • Drinking water supply and distribution
  4. A good way to become NIS-compliant is to implement an Information Security Management System, for instance using ISO27001.
  5. The NIS directive aims for better communication regarding cybersecurity across EU member states. Therefore, each member state needs to have CSIRTs: Computer Security Incident Response Teams. These teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incident in that country. This is not all they do: they communicate cross border as well. This way, all member states can learn from each other.
  6. Fines are not defined by the European Union. All member states are obligated to develop a system of sanctions. We don’t know what these sanctions are going to be in Belgium yet.

I hope my 6 takeaways are useful and we will be sure to keep you updated as we learn more about the NIS in the months to come.

If you ended up on this blog meaning to plan your trip to Nis, Serbia: I really preferred the Ćevapi for dinner or some Rakia for drinks during my stay there.


, ,

How not to google the NIS regulation

When looking for the EU Network and Information Security directives I found out that googling just ‘NIS’ does not reveal the hot potato I was looking for. The first page of the Google search results pointed me in the direction of Nis, a city in Serbia. Things to do, reviews from travellers, where to eat, buying flight tickets… Anything you want to know about the he second largest city of Serbia, but no sign of the directive.

Hold on … maybe there is … . but I admit it’s quite hidden. Let me explain.

On one hand, citizens of Nis are connected to the electricity network and the digital network, they use and drink water, they go to banks for their financial stuff and … they even have an airport: The Constantine the Great airport! On the other hand, NIS is applicable to a variety of sectors such as energy, transport, health, the financial sector, water supply and digital infrastructure. All these sectors are active in Nis!

So yes, there is a clear link between Nis and NIS. I hear you thinking: So what? Nice story, but what’s your point? Well … you ‘re absolutely right. There is no point and in fact there is even no link. Another Google search revealed that after all Serbia is not a member of the EU (yet) meaning that NIS is not yet really applicable to Nis.

What a pity… that’s where this story ends.

Providing details about the notification of security incidents, how to handle cross-border incidents, the role of Enisa and how ISO 27001 can play an important role towards NIS compliancy… They just don’t fit in this story anymore.

But don’t worry, I’ll consider writing another post to explain these interesting matters, but first … I will check some reviews from travellers to Nis.