This website uses cookies. View our cookie policy

The Directive on Security of Network and Information Systems (NIS Directive)

Transposed into EU member state law on 9 May 2018, the NIS Directive (the Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) intends to achieve a high level of network and information systems security consistently across the EU.

Scope of the NIS Directive: who must comply?

The Directive applies to:

  • Operators of Essential Services (OESs) that are established in the EU, and
  • Digital Service Providers (DSPs) that offer services to persons within the EU 1.

Please note that small and micro DSPs (organisations employing fewer than 50 people whose annual turnover is less than €10 million) are not included in scope of the NIS Directive

The NIS Directive requires OES and DSPs to:

  • Take appropriate technical and organisational measures to secure their networks and information systems;
  • Take into account the latest developments and consider potential risks facing their systems;
  • Take appropriate measures to prevent security incidents, or at least minimise impact to ensure service continuity; and
  • Notify the relevant competent authority of any security incident having a significant impact on service continuity without undue delay.

Consequences for non-compliance with the NIS Directive

Required to set their own rules on financial penalties, member states must take appropriate measures to ensure these are implemented. It is likely that they will be similar to that of the GDPR (General Data Protection Regulation).

Compliance may be monitored through routine audits of OESs.

What is an Operator of Essential Services (OES)?

Certain businesses operating in critical industries are known as OES. Designed to reinforce cyber security across heavily IT-dependent businesses, the NIS Directive affects the following sectors:

  • Water;
  • Energy;
  • Digital infrastructure;
  • Banking and financial market infrastructures;
  • Healthcare; and
  • Transport.

What is a Digital Service Provider (DSP)?

Key DSPs that provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” are covered by the NIS Directive and can be categorised as the following:

  • Search engines;
  • Cloud computing services; and
  • Online marketplaces.

Specific compliance requirements for DSPs:

Provided that DSPs implement an appropriate level of security that factors in the NIS Directive requirements, DSPs are free to choose whichever technical and organisational measures they deem adequate to the risk.

This risk-based security approach must include the risk posed in offering covered services, including the following components:

  • The security of systems and facilities;
  • Incident handling;
  • Business continuity management;
  • Monitoring, auditing and testing; and
  • Compliance with international standards

The Commission’s Implementing Regulation for DSPs

DSPs seeking further clarity on how they are required to comply with the NIS Directive should consult the Implementation Regulation, which took effect 10 May 2018 and applies across all member states.

In addition to information security and business continuity measures, the NIS Directive requires DSPs to establish incident response measures based on an evaluation of the incident’s severity.

What should be done to achieve NIS Directive compliance?

If you are a DSP or OES, your best route to compliance is to implement a cyber resilience programme incorporating the following:

  • Robust cyber security defences.
  • Adequate cyber risk preventative measures.
  • Appropriate tools and systems to deal with and report incidents.

Achieving compliance through cyber resilience

As recommended by Article 19 of the NIS Directive, organisations can achieve compliance with the Directive’s requirements by adopting an integrated management system based on international and European standards for information security.

A unified management system based on an integrated ISO 27001 and ISO 22301 risk-based framework can help your organisation achieve internationally recognised, best-practice cyber resilience, and remove the burden of multiple compliance audits.

Download the compliance guide

Why IT Governance?

  • We provide the complete suite of consultancy, training and tools necessary for NIS Directive compliance.
  • Our unique combination of technical expertise and solid track record in implementing international management system standards means we can deliver a complete solution for compliance and manage the project from start to finish.
  • Our work includes projects with organisations in all industries all around the world.
  • We are independent of vendors and certification bodies, and help our clients to select the best fit for their requirements and objectives.
  • We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
  • We provide pragmatic advice and work according to your budget and organisational requirements. No company or project is ever too big or small.
  • We offer clear and transparent pricing.

Speak to an expert

Please contact our team of experts for advice and guidance on our NIS Directive products, services and solutions.