Implementing the Network and Information Systems Directive in the Transport Sector

Earlier today, the UK government has released a guide for essential transport services on implementing the 2016 Network and Information Systems (NIS) Directive.

The guidance:

  • is designed to assist the transport sector with compliance with the NIS Regulations
  • explains the responsibilities of organisations that will be designated as operators of essential services (OES)
  • explains the roles and responsibilities of the competent authorities designated for oversight and enforcement of the NIS Regulations

Link to the full report:

Some thoughts from Andrew Lloyd, President at Corero Network Security:

“In addition to providing a useful summary of the relevant NIS background, related documents and external links, the DfT has also strongly guided as to what outcomes they expect the OES to deliver. For example, in aviation they define this as the “provision of safe and secure services and facilities that enable: a) aircraft to land and take off at airports without undue delay or disruption, and b) passengers to depart and arrive without undue delay or disruption. For example, this could include, but is not limited to, check-in facilities, departure control services, security of passengers and baggage, air navigation services (including en-route) and aircraft operation”.

“They go on to prescribe specific thresholds relating to service failure that, if breached, must be notified to the DfT by the OES.  Again, looking at the aviation sector, a “single incident which results in more than 20% of scheduled flights being cancelled in a 24-hour period” by a major airline would be considered as a notifiable incident.

“Consistent with earlier government guidance, the DfT is taking a measured, phased approach to implementing and enforcing the NIS Regulations. The DfT states principles rather than prescriptive requirements that need to be met. Over the next 6 months, there is a requirement for the OES to self-assess their compliance with the principles outlined by the DfT and the guidance issued by the NCSC.

“With this approach, the risk remains that the OES will view NIS compliance as simply another box to tick and the UK’s critical national infrastructure will be no better protected from the cyber-threats as a result.”