Improving Cyber Resilience in Critical National Infrastructure (CNI)

In May 2018, after a long period of consultation with businesses, the UK and other EU nations adopted the EU Network and Information Systems Directive aimed at providing direction and governance for the companies that deliver essential services to defend against, and also report in a structured way, cyber attacks. This has become UK Law and therefore encourages companies who provide infrastructure and essential services to:

  • Adopt the 14 high level security principles
  • Be aware of the penalty framework
  • Maintain an incident response framework including reporting to any relevant authorities anything that could be considered as a Breach and an Incident

If your company provides any CNI such as , but not limited to, Energy (either upstream or downstream), Water, Financial services, transportation services or healthcare then the NIS Directive applies to you. This is due to the fact that organisations such as these have been identified as extremely attractive targets for cyber (or a blended including cyber) attack.

The UK Government has confirmed that this adoption (and it's subsequent requirements and recommendations) will not be affected by the proposed exit from the EU.


How Siker can help:

Objective A4 - Supply Chain Assurance

The adoption of the legislation places the responsibility onto you for identifying and remediating the security risks in your supply chain (where possible) where this may reduce or harm the services you deliver. We can help organisations with:

  • Provision of Cyber Essentials services to your SME companies within your supply chain 
  • Understand your supply chain and the risk to your systems

View Cyber Essentials services

Objective B6 - Staff Training and Awareness

One of the best ways to reduce the chance of these attacks being successful is to create a culture within the organisation that empowers staff to identify and report any suspicious activity. This, of course, only works if a good understanding of what 'normal' activity looks like!

It is recommended that staff attend regular awareness sessions to ensure they are kept up to date with policy changes, procedure updates, etc. These can either be via a computer based training environment or delivered during face to face sessions. Additionally, the relevant training can be provided to those that need it as part of their role. We can help organisation with:

  • Design and develop role-based skills and competency frameworks
  • GCT-accredited training courses
  • Skills gap analysis

View Cyber Learning services 

For further information on how we can help, get in touch with our experts to discuss how we can assist. 

Contact Us


For further information on the NIS Directive

National Cyber Security Centre website

Introduction to the NIS Directive

Introduction to the Cyber Assessment Framework (CAF)

European Commission website

The Directive on Security of Network and Information Systems (NIS Directive)

The 14 Security Principles

Objective A - Managing Security Risk

  • A1 - Governance
  • A2 - Risk Management
  • A3 - Asset Management
  • A4 - Supply Chain

Objective B - Protecting Against Cyber Attack

  • B1 - Service Protection Policies and Processes
  • B2 - Identity and Access Control
  • B3 - Data Security
  • B4 - System Security
  • B5 - Resilient Networks and Systems
  • B6 - Staff Awareness and Training

Objective C - Detecting Cyber Security Events

  • C1 - Security Monitoring
  • C2 - Proactive Security Event Discovery

Objective D - Minimising the Impact of Cyber Security Incidents

  • D1 - Response and Recovery Planning
  • D2 - Lessons Learned