The European Union Network and Information Systems (NIS) Directive will come into effect today, with the provisions of the EU-wide law expected to improve the IT security of critical infrastructure organisations, as well as search engines, online marketplaces and other organisations key to the modern economy.
While less well-known than GDPR, the NIS Directive will be even more far-reaching for the organisations that come under its purview.
The NIS Directive focuses on the security of nationally important infrastructure, such as electricity and water supplies, transport and healthcare. It seeks to improve the security and resilience of these services by bolstering networks against cyber attacks.
The Directive requires member states to have in place "a National Cyber Security Strategy, a Computer Security Incident Response Team (CSIRT), and a national NIS competent authority, or competent authorities", according to the website of lead agency the National Cyber Security Centre (NCSC).
There should also be cooperation between states to support the sharing of information about cyber attacks, and states must identify critical organisations or "operators of essential services (OES)", it adds.
It continues: "Those OES will have to take appropriate and proportionate security measures to manage risks to their network and information systems, and they will be required to notify serious incidents to the relevant national authority."
In the UK, the OES category is likely to include suppliers of drinking water; digital infrastructure; the health sector; air, marine, road and rail transport; cloud services; online market places and search engines according to the government's consultation document.
Sectors such as finance and civil nuclear are considered sufficiently protected by existing measures.
According to Charlie Wedin, cyber security expert at legal practice Osborne Clarke, the Directive is welcome and extremely timely.
"In recent years, the number of cyber attacks against national infrastructure has risen dramatically. This demonstrates just how attractive these systems have become to malicious actors looking to target any vulnerable points in the system," he said.
"The consequences on society can be significant - preventing access to power, transport and emergency services. Recognising the importance of digital services in today's society, the Directive also applies to online marketplaces, search engines and cloud storage."
Organisations falling within the scope of the Directive ought to "carry out a holistic evaluation of their technical and organisational measures to ensure the security of their networks and information," said Wedin.
He added: "They should also test their security measures with realistic 'war game' simulations to proactively identify and rectify potential weaknesses."
Campaigners want US authorities to break-up Instagram, WhatsApp and Messenger into separate companies
The perception of the industry as "a white man in a hard hat" is limiting new applicants, says Hayaatun Sillem
Almost two years late - and just as AMD is readying 7nm Zen 2 for early 2019
Eye-wateringly expensive smart speakers take just six per cent market share, claims Strategy Analytics