Achieving NIS Directive compliance with Enterprise SIEM

 The EU Network and Information Systems Directive (NIS Directive) became law in the UK in May 2018 via the NIS Regulations. They form the basis of the NCSC Cyber Assessment Framework (CAF), which provides guidance for organisations responsible for “vitally important services and activities”. The operators of essential services and digital service providers in the UK are required to keep their networks and information secure and to notify security incidents to “competent authorities” when they occur. 

In the face of mounting worries that interlinked systems and networks, as well as an increasing link between IT systems and industrial control systems (ICS), could provide an avenue for cyber attacks, the regulation aims to bolster cyber security and resilience within the critical infrastructure sector (“essential services” and “digital services”).


What the NIS Directive means for operators

The net effect of the NIS Directive and Regulation is that operators of essential services and digital service providers are required to keep their networks and information secure and to notify security incidents to “competent authorities” when they occur. 

The critical NIS Cyber Security Principles

Regardless of geographical location, there are two key cyber security principles that all operators of Critical Infrastructure need to defend their assets: C1 Security Monitoring and C2 Proactive Security Event Discovery

C.1 Security Monitoring

The organisation monitors the security status of the networks and systems supporting the essential functions in order to detect potential security problems and to track the on-going effectiveness of protective security measures.

C.2 Proactive Security Event Discovery

The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployable).

How CNI regulation works in the UK

In the UK there is no single competent authority. Instead there are a number of separate organisations, mostly existing industry regulators – assisted by the National Cyber Security Centre (NCSC) – such as Ofcom, Ofwat etc. and the Information Commissioner’s Office (ICO) who are responsible for overseeing compliance and defining rules in the various sectors. This diversity in the definition of rules, standards and processes makes policing compliance a challenge.

NCSC published best practice

The NCSC has published an introduction to the NIS Directive and guidance for Critical Infrastructure organisations; this includes guidance for C1 and C2. Their advice covers:

  1. Managing security risk: Appropriate organisational structures, policies and processes to understand, assess and manage security risks to systems supporting essential functions.
  2. Protecting against cyber attack: Proportionate security measures to protect systems supporting essential functions from cyber attack.
  3. Detecting cyber security events: Ensure security defences are effective and detect cyber security events that could, or will, affect essential functions.
  4. Minimising the impact of cyber security incidents: Minimise the adverse impact of an incident on the operation of essential functions including the restoration of services where necessary.

NCSC also has an associated Cyber Assurance Framework (CAF) for audit, review and assessment services.



The Department for Digital, Culture, Media and Sport (DCMS) is asking the competent authorities (regulators) to take a cautious approach to enforcement initially, to give organisations that are affected by the NIS Directive time to digest and update their cyber security defences. See DCMS guidance here.

While fines under the NIS Directive, in particular for incidents that cause loss of life or actual physical harm, might be severe in due course; initially they should be more modest, especially where operators have “assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack”.

How to comply with NIS cyber security principles

Huntsman Security’s Enterprise SIEM has first-hand experience in meeting the high security, real-time visibility and assurance requirements of critical infrastructure organisations. Our customers manage complex network structures, deal with extremely high data volumes and monitor a wide variety of data types and sources. The suitability of our technology for these high critical environments is proven.

  • Governance and Risk – track how you are performing against major government, national and international standards
  • Security analytics and real-time threat detection – detect threats based on known patterns or anomalous behaviour.
  • Automated Threat Verification – take action through infrastructure interconnects to contain, quarantine or mitigate a threat which means that attacks or breaches are rapidly diagnosed and thwarted.

Find out more info about NIS and CNI Security

Request more infoResources and Tools


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.