About NIS

The Network and Information Security (NIS) Directive is a part of the EU-wide cybersecurity legislation with an aim of enhancing cybersecurity across the EU and every EU member state has started to adopt national legislation, allowing for some level of flexibility. The EU NIS Directive took effect as of May 2018.

The Directive

NIS is a first essential step with a view to promoting a culture of risk management, by introducing security requirements as legal obligations for the key economic actors, notably;

  • operators providing essential services (OES)
  • suppliers of some key digital services (Digital Service Providers – DSPs)

Member States should have identified Operators of Essential Services (OES) by November 9th, 2018.


The directive considers following sectors under OESs; Energy, Transport, Banking, Financial market infrastructures, Health, Water supply and Digital infrastructure Energy, Transport, Banking, Financial market infrastructures, Health, Water supply and Digital infrastructure.

The directive considers following sectors under DSPs; Search engines, Cloud computing services and Online marketplaces.


Applicability is not the same for DSPs and OESs:

  • DSP – enforced only in case of reported incidents or reported non-compliance to the competent authority
  • OES –enforced by regular audits

OESs are public or private entities that meet all of the following criteria:

  • The operator provides a service that is essential to society and the economy.
  • The service rendered depends on network and information systems.
  • An incident to the network and information systems of that service would have significant effects on its provision.

Member states

Member States are required to set their own rules on financial penalties which will be effective, proportionate and dissuasive. Member states mandated to designate:
  • National strategy on the security of NIS defining the strategic objectives and appropriate policy and regulatory measures for OESs
  • Competent Authorities that shall monitor the application of this Directive at national level
  • Computer Security Incident Response Teams (CSIRTs) which shall comply with the requirements set out NIS Annex I

CSIRTs network shall be composed of representatives of the Member States’ CSIRTs and CERT-EU. Member states may request assistance of ENISA in developing national strategies. ENISA acts as a centre of expertise dedicated to enhancing network and information security.

How to achieve compliance

A lot was left to be defined upon member states, incident reports (not strictly related to cybersecurity), response timeframes, etc.

NIS encourages the use of European or internationally accepted standards and specifications relevant to the security of NIS, such as:

  • ISO27001
  • NIST Framework for Improving Critical Infrastructure Cybersecurity

ENISA has issued a report to assist Member States and DSPs in providing a common approach regarding the security measures for DSPs – technical Guidelines for the implementation of minimum security measures for Digital Service Providers.

How can we help

Our service provides a risk based approach in order to break NIS regulations into specific requirements for your organisation’s cybersecurity program, making it easier to pinpoint which of the NIS requirements are in-place and which require remediation actions to ensure compliance against national requirements.

Our NIS services are aimed at helping you achieve compliance. As trusted advisors we shall:

  • Conduct an initial assessment to determine the scope of applicability to your organisation and identify any gaps in compliance
  • Help with establishing security incident reporting process, as upon occurrence of a cyber incident, regardless whether your organisations is a DSP or OES, you must be able to send alerts to the relevant national authority immediately upon becoming aware of the incident
  • Provide guidance on monitoring, auditing, testing and reporting with an aim of monitoring security measures, tracking incidents and resolution progress
  • Conduct mandatory risk based assessments as per internationally accepted standards such as ISO 27001 which competent authorities will use to evaluate regulatory compliance