Stratia Consulting specialise in Information Assurance and Risk Management.

We have years of experience in providing information assurance and information risk management services to all kinds of businesses. It does not matter whether you run a small start-up company or a large corporation, we will ensure your assets are protected and maintained efficiently. Our aim is to find the best form of protection for your business and provide you with the means to manage risks effectively in order to minimise financial costs and prevent damage to your reputation.

Cookie Policy

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Contact Info

Network Information Systems Directive (NISD)

What is NISD?

The Network Information Systems Directive (NISD), is relevant to you if you are an Essential Service Provider or if you are a Digital Service Provider i.e. an online marketplace, an online search engine or a cloud services provider (unless you are subject to sector specific regulation in this area). The Directive may also be relevant to you if you are part of the supply chain of such providers.

Who has to comply with NISD?

The primary concern for those who think they might be caught by NISD centres on the definitions of an Operator of Essential Services (OES), and Digital Service Providers (DSPs).

  • OESs – the government has been refining the identification thresholds used to define who is in scope to make them clearer and help companies understand whether they need to comply.
  • DSPs – the government recognises that defining DSPs "continues to be a challenge" but intends to limit the scope of those who have to comply with NISD to "those companies whose loss of service could have the greatest impact on the UK economy, either directly or through impact on other companies". This will include Software as a Service companies but excludes micro and small businesses.

In short, if you are in the critical sectors of financial services, health, water, energy, transport and Telecommunications you will be required to assess your risks and ensure they have the appropriate controls in place. E-commerce platforms are also considered part of the critical infrastructure.

Assessment Framework

The National Cyber Security Centre (NCSC) has published the NISD Cyber Assessment Framework (CAF). It is mandatory for the OES to be assessed against the CAF.
NCSC has NIS online guidance available, please click here to view

Sanctions

There has been a lot of concern around the potential for 'double jeopardy' in terms of fines under NISD and the GDPR. The government confirms that it intends to amend the proposed penalty regime to introduce a maximum financial penalty of £17m for all contraventions under NISD. It cannot, however, remove the possibility of additional sanctions relating to different aspects of wrongdoing under other applicable law, including the GDPR.
Note that NISD will not apply directly to suppliers to OES's or DSPs and enforcement will not take place down the supply chain. OESs and DSPs will be responsible for ensuring that their suppliers have appropriate measures in place to ensure they are compliant.

Incident reporting, Enforcement and Guidance

There are currently 11 Competent Authorities (CAs) that are responsible for reporting, enforcement and assistance around the implementation of the NISD. They are a mix of the existing sector regulators and/or the responsible Government Departments.

The government clarifies that CAs will publish incident reporting thresholds. Reporting timeframes will mirror those under the GDPR, i.e. "without undue delay and, where feasible, no later than 72 hours after having become aware of the incident".

Incident reporting under NISD focuses on interruption to service. Under Article 14(3), an OES must notify either their CA or Computer Security Incident Response Team (CSIRT) of "incidents having a significant impact on the continuity of the essential services they provide". DSPs are required under Article 16(3) to notify either their CA or Computer Security Incident Response Team (CSIRT) of "any incident having a substantial impact on the provision of a service…that they offer within the Union". An incident is "any event having an actual adverse effect on the security of network and information systems"

NIS_Consultation_Response

Download PDF:
NIS_Consultation_Response

How can we assist?

Stratia Consulting is a founding National Cyber Security Centre (NCSC) Certified Cyber Security Consultancy (read press release here). As such, we have demonstrated the we meet the NCSC's standards for high quality tailored expert cyber advice and can act as a Competent Independent Organisation (CIO) under the terms of relevant legislation. We have specific skills and prior experience with the Industrial Control Systems (ICS) relevant to many of the NISD relevant sectors, and extensive references for our work in the Energy Generation and Distribution, Financial Telecommunications and Transport Sectors, among others.

This means we can offer services such as:

  • NISD CAF Assessment to establish actions required by the organisation in order to achieve compliance with the NCSC NISD Cyber Assessment Framework (CAF)
  • Cyber Risk Assessment and Vulnerability testing.
  • Cyber Risk Management.
  • IASME Governance and GDPR.
  • ISO 27001 Consultancy.
  • Cloud Services.
  • Information Assurance.