This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

The Directive on Security of Network and Information Systems (NIS Directive)

The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) aims to achieve a high common level of network and information systems security across the EU in three ways:

  • 1.  Improving cyber security capabilities at the national level.
  • 2.  Increasing cooperation on cyber security among EU member states.
  • 3.  Introducing security measures and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) and digital service providers (DSPs).

View the PDF version of the NIS Directive (2016/1148).



The NIS Directive was adopted by the European Parliament on 6 July 2016, and entered into force in August 2016. EU member states have until 9 May 2018 to transpose it into national laws, and a further six months to identify the OESs to which it applies.

The NIS Directive sets out security requirements and incident notification rules for DSPs that are different from those that apply to OESs.


The NIS Directive compliance scope: who must comply?

The NIS Directive applies to OESs that are established in the EU and DSPs that offer services to persons within the EU. The Directive does not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).

The NIS Directive will come into effect before the UK leaves the EU, and the UK government has confirmed that the Directive will apply irrespective of Brexit.


The NIS Directive requires OESs and DSPs to:

  • Take appropriate technical and organisational measures to secure their network and information systems;
  • Take into account the latest developments and consider the potential risks facing the systems;
  • Take appropriate measures to prevent and minimise the impact of security incidents to ensure service continuity; and
  • Notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.


Consequences for non-compliance with the NIS Directive

Member states are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented.

The UK Government’s response to a public consultation was released in January 2018 to outline the UK government’s plans to facilitate NIS Directive compliance. In the UK, non-compliant organisations may be fined up to £17 million. The level of fine will be assessed by the competent authority, and will vary between sectors.

Enquire now about our NIS Directive training courses:


What is an Operator of Essential Services (OES)?

The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communications technology (ICT). Certain businesses operating in critical industries are known as OESs.

The sectors affected by the NIS Directive are:

  • Drinking water supply and distribution;
  • Energy;
  • Digital infrastructure;
  • Health sector; and
  • Transport.


Specific compliance requirements for OESs:

The UK government has published 14 high-level security principles all operators will be expected to comply with.

The 14 principles issued by the National Cyber Security Centre (NCSC) are divided into four objectives:

Objective A. Managing Security Risk

  • A.1 Governance
  • A.2 Risk management
  • A.3 Asset management
  • A.4 Supply chain

Objective B. Defending systems against cyber attack

  • B.1 Service protection policies and procedures
  • B.2 Identity and access control
  • B.3 Data security
  • B.4 System security
  • B.5 Resilient networks and systems
  • B.6 Staff awareness and training

Objective C. Detecting cyber security events

  • C.1 Security monitoring
  • C.2 Anomaly detection

Objective D. Minimising the impact of cyber security incidents

  • D.1 Response and recovery planning
  • D.2 Improvements

Audits and the Cyber Assessment Framework (CAF)

Compliance with the NIS Directive by OESs will be monitored through audits conducted by designated competent authorities.

A newly developed CAF will provide guidance for assessing organisations against the 14 security principles issued by the NCSC, and will outline the acceptable levels of security for organisations under the requirements of the NIS Directive. The CAF is due to be released in April/May 2018.

(DSPs will not be audited. Enforcement will be applied to DSPs after an incident has occurred, or if a company is reported to the competent authority to be non-compliant.)


Incident reporting measures under the NIS Directive

In the UK, the incident reporting guidance for OESs has been simplified to help organisations and competent authorities determine which incidents to report. The competent authorities will follow this by determining the incident reporting thresholds for each sector, and these thresholds will be published by May 2018.

The incident reporting structure has been broken down into two sections:

  • Incident response – acts as a support function where the NCSC should be approached for cyber-related incidents, the competent authority or lead government department should be approached for assistance with non-cyber related incidents.
  • Incident notification – acts as a regulatory process wherein incidents must be reported to the competent authority and they will then decide if a follow-up investigation is required.

Like the General Data Protection Regulation (GDPR), organisations must “without undue delay and, where feasible, no later than 72 hours after having become aware of an incident” report incidents to the Competent Authority.


What is a DSP?

The NIS Directive applies to the following key DSPs that normally provide their service “for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The onus is on online companies to determine for themselves whether they are DSPs and are subject to the Directive’s security and notification requirements.

DPSs can be categorised as the following organisations:

  • Search engines.
  • Cloud computing services.
  • Online marketplaces.


Specific compliance requirements for DSPs

DSPs are required to ensure a level of security appropriate to the risk posed in offering covered services, considering the following elements:

  • Security systems and facilities.
  • Incident handling.
  • Business continuity management.
  • Monitoring, auditing and testing.
  • Compliance with international standards.

The Directive does not provide detailed requirements about the minimum security measures required, so the European Union Agency for Network and Information Security (ENISA) has produced extra guidance for DSPs. Download the technical guidance here.

An additional Implementing Regulation drawn up by the EC Council is currently in draft format, which aims to provide further guidance for DSPs.


How to achieve compliance with the NIS Directive

The best approach to achieving compliance is for DSPs and OESs to implement a cyber resilience programme that incorporates the following:

  • Robust cyber security defences;
  • Adequate cyber risk preventative measures; and
  • Appropriate tools and systems to deal with and report incidents and data breaches.

International standards, based on the outcomes of formal risk assessments, serve as ideal frameworks for achieving NIS Directive compliance. In fact, Article 19 mentions that compliance with international standards is encouraged.


Where to start: a total cyber resilience solution

Operators should be looking to develop a resilient posture that combines best practice from leading international standards, as highlighted in the high-level security principles and the associated guidance issued by the NCSC.

The NCSC’s guidance aligns heavily with the international information security management standard ISO 27001 and its best-practice guidance ISO 27002, its risk management companion (ISO 27005) and its incident response management guidance standard ISO 27035.

In addition, combining a regime of regular penetration testing, cyber incident response management and an effective business continuity management system (as outlined by the business continuity standard ISO 22301), will enable businesses to ensure compliance with the NIS Directive.

Following this integrated approach, you will achieve an internationally accepted posture of cyber resilience based on risk management best practice – exactly as the new legislation requires – and remove the burden of multiple compliance audits.

View our cyber resilience information page for more information.


Let’s get your compliance project underway

IT Governance offers a total cyber resilience solution to help you meet your compliance needs, and can help you conduct an initial self-assessment against the requirements of the NIS Directive.

Whatever the nature or size of your problem, we are here to help. Click the button below to request a call. One of our experts will get in touch as soon as possible.

Speak to a cyber security expert today >>


Why IT Governance?

  • We deliver the entire suite of consultancy, training and tools needed for NIS compliance.
  • Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for NIS compliance and manage the project from start to finish.
  • As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
  • We’re independent of vendors and certification bodies, and encourage our clients to select the best fit for their needs and objectives.
  • We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
  • We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
  • We offer clear and transparent pricing.