This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

The Directive on Security of Network and Information Systems (NIS Directive)

The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) aims to achieve a high common level of network and information systems security across the EU in three ways:

  • 1.  Improving cyber security capabilities at the national level.
  • 2.  Increasing cooperation on cyber security among EU member states.
  • 3.  Introducing security measures and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) and digital service providers (DSPs).

View the PDF version of the NIS Directive (2016/1148).



The NIS Directive was adopted by the European Parliament on 6 July 2016, and entered into force in August 2016. EU member states have until 9 May 2018 to transpose it into national laws, and a further six months to identify the OESs to which it applies.

The NIS Directive sets out security requirements and incident notification rules for DSPs that are different from those that apply to OESs.


Consequences for non-compliance with the NIS Directive

Member States are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented. It is likely that member states will implement tough penalties similar to that of the GDPR (General Data Protection Regulation).

A consultation document was released to outline the UK government’s plans to facilitate NIS Directive compliance.

Fines of between €10 million and €20 million or 2–4% of annual global turnover have been proposed by the UK government. Financial penalties will only be applied when the organisation cannot demonstrate that appropriate risk mitigation measures were in place.

One way of monitoring compliance may be through routine audits of OESs. DSPs may not face these types of audits because of a ‘light touch’ approach proposed by the NIS Directive, whereby enforcement can only be applied to DSPs after an incident has occurred, or if a company is reported to the competent authority to be non-compliant.


The NIS Directive compliance scope: who must comply?

The NIS Directive applies to OESs that are established in the EU and DSPs that offer services to persons within the EU. The Directive does not apply to hardware and software developers or DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).

The NIS Directive will come into effect before the UK leaves the EU, and the UK government has confirmed that the Directive will apply irrespective of Brexit.


What is an Operator of Essential Services (OES)?

The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communications technology (ICT). Certain businesses operating in critical industries are known as OESs.

OESs are public or private entities that meet all of the following criteria:

  • The operator provides a service that is essential to society and the economy.
  • The service rendered depends on network and information systems.
  • An incident to the network and information systems of that service would have significant effects on its provision.

Each member state must identify the OESs by November 2018.

The sectors affected by the NIS Directive are:

  • Energy;
  • Transport;
  • Water;
  • Banking;
  • financial market infrastructures;
  • Healthcare; and
  • Digital infrastructure.


What is a Digital Service Provider (DSP)?

The NIS Directive applies to the following key DSPs that normally provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The onus is on online companies to determine for themselves whether they are DSPs and are subject to the Directive’s security and notification requirements.

DPSs can be categorised as the following organisations:

  • Search engines.
  • Cloud computing services.
  • Online marketplaces.


Security and incident reporting measures under the NIS Directive

The NIS Directive does not provide an over-prescriptive security regime or protocol. Those subject to the Directive are instead required to adopt “appropriate and proportionate technical and organisational measures” to achieve compliance.

Article 44 states that a culture of risk management, involving risk assessment and the implementation of security measures appropriate to the risks, should be promoted and developed.

Enquire about our Incident Response Management Foundation Training Course


Not only cyber security risks

The NIS incident reporting requirements are not limited to “cybersecurity” incidents: any incident affecting the security of the network and information systems used for provision of the essential services may be reportable. These include power failures, environmental hazards, hardware failures, cyber attacks, malware, intrusions and viruses.

The NIS Directive does not specify a timeframe for the reporting of incidents, only stating that operators need to notify about an incident “without undue delay”. Member states may adopt their own reporting requirements.

International standards such as ISO 27001 and ISO 22301 are based on the outcomes of risk assessments and serve as ideal frameworks for achieving NIS Directive compliance.

In fact, Article 19 mentions that compliance with international standards is encouraged.


The NIS Directive requires OESs and DSPs to:

  • Take appropriate technical and organisational measures to secure their network and information systems;
  • Take into account the latest developments and consider the potential risks facing the systems;
  • Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
  • Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.


Specific compliance requirements for OESs:

The UK government has published 14 high-level security principles all operators will be expected to comply with.

The 14 proposed principles issued by the National Cyber Security Centre (NCSC):

  • A. Appropriate organisational structures, policies, and processes
    • A.1 Governance
    • A.2 Risk management
    • A.3 Asset management
    • A.4 Supply chain
  • B. Proportionate security measures
    • B.1 Service protection policies and processes
    • B.2 Identity and access control
    • B.3 Data security
    • B.4 System security
    • B.5 Resilient networks and systems
    • B.6 Staff awareness and training
  • C. Capabilities to ensure security defences remain effective and to detect cyber security events
    • C.1 Security monitoring
    • C.2 Anomaly detection
  • D. Capabilities to minimise the impacts of a cyber security incident on the delivery of essential services
    • D.1 Response and recovery planning
    • D.2 Improvements

The following timelines have been released by the government in support of these plans:

  • January 2018: The NCSC will publish generic cross-sector security guidance to supplement the high-level principles. This will include a Cyber Assessment Framework (CAF), which will help establish the extent to which requirements are being met.
  • Spring 2018: Appointed competent authorities will indicate how OESs should interpret the generic guidance and CAF for their own risk management procedures.
  • November 2018: Competent authorities will produce further detailed sector-specific guidance.


Specific compliance requirements for DSPs

DSPs are required to ensure a level of security appropriate to the risk posed in offering covered services, considering the following elements:

  • Security systems and facilities.
  • Incident handling.
  • Business continuity management.
  • Monitoring, auditing and testing.
  • Compliance with international standards.

The Directive provides only a sketchy description of the minimum security measures required, so ENISA has produced extra guidance for DSPs. Download technical guidance for DSPs here.


Incident notification rules for DSPs

The European Commission will set a framework for incident reporting for DSPs under the NIS, in cooperation with member states. This framework has not yet been set and the European Commission is expected to produce an Implementing Act establishing this framework.


The NIS Directive and the GDPR

Guidance provided by ENISA warns of potential overlaps between the incident reporting requirements of the NIS Directive and the data breach notification rules of the General Data Protection Regulation (GDPR). DSPs could have to report the same data breach incidents to different authorities under the NIS Directive and the GDPR.


What should be done to achieve NIS Directive compliance?

The best approach to achieve compliance is for DSPs and OESs to implement a cyber resilience programme that incorporates the following:

  • Robust cyber security defences.
  • Adequate cyber risk preventative measures.
  • Appropriate tools and systems to deal with and report incidents and data breaches.


Achieving compliance through cyber resilience

Article 19 of the NIS Directive encourages the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.

By adopting two leading international standards on information security and business continuity management, your organisation will have taken the appropriate technical and organisational measures to manage its risks and prevent incidents affecting the security of the network and information systems. This can be done through a cyber resilient approach based on ISO 27001 and ISO 22301.


ISO 27001: the best-practice standard for information security

ISO 27001 is the internationally recognised best-practice standard that lays out the requirements of an information security management system (ISMS) and forms the backbone of every intelligent cyber security risk management strategy.


ISO 22301: the best-practice standard for business continuity

Effective business continuity management means an organisation can resume operations and return to ‘business as usual’ as quickly as possible after a disruptive incident. A BCMS is a comprehensive approach to organisational resilience. It helps organisations to update, control and deploy effective plans, taking into account contingencies, capabilities and business needs.

ISO/IEC 22301 sets out the requirements for a BCMS that incorporates disaster recovery and is considered the only credible framework for effective business continuity management in the world.


Adopting an integrated approach to cyber resilience

NIS Directive compliance will be achievable by adopting an integrated management system that incorporates ISO 27001 and ISO 22301. It will help your organisation achieve an internationally accepted posture of cyber resilience based on risk management best practice – exactly as the new legislation requires – and remove the burden of multiple compliance audits.


Why IT Governance?

  • We deliver the entire suite of consultancy, training and tools needed for NIS compliance.
  • Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS compliance and manage the project from start to finish.
  • As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
  • We’re independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives.
  • We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
  • We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
  • We offer clear and transparent pricing.


Let’s work together to get things moving

Whatever the nature or size of your problem we are here to help. Click the button below to request a call. One of our experts will get in touch as soon as possible.


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us