NIS Directive (The Directive on security of network and information systems)

The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) OES (operators of essential services) and DSPs (digital service providers), and focuses on network and information systems critical for service availability within the EU in order to protect the Union’s critical infrastructure and economies.

Starting your NIS compliance journey?

Our expert consultants will help you to assess your compliance needs and outline a clear roadmap for meeting the requirements of the NIS Regulations.


Consequences for non-compliance

Member states are required to set their own rules on financial penalties and must take the measures necessary to ensure they are enforced.

The Directive states that these must be “effective, proportionate and dissuasive”, but the exact figures vary per member state. In the UK, for example, non-compliant organisations may be fined up to £17 million.

Get in touch today to discuss how you can prepare for compliance >>


Who must comply with the NIS Directive requirements?

The Directive applies to OES that are established in the EU and DSPs that offer their services within the EU.

The Directive does not apply to DSPs that are considered small or micro businesses (organisations employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).

Download our free green paper to find out how you can prepare for compliance >>


The NIS Directive requires OES and DSPs to:


What is an OES?

The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on ICT (information and communications technology). Certain businesses operating in critical industries are known as OES.

The NIS Directive applies to the following sectors:

  • Drinking water supply and distribution
  • Energy
  • Digital infrastructure
  • Banking
  • Financial market infrastructures
  • Health
  • Transport

Note that the exact sectors can differ per member state.


What is a DSP?

The NIS Directive lists the following categories of DSP:

  • Cloud computing services
    Organisations that provide “a digital service that enables access to a scalable and elastic pool of shareable computing resources” (Recital 19).

  • Online marketplaces
    Organisations that provide “a digital service that allows consumers and/or traders [...] to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace” (Recital 17).

  • Search engines
    Organisations that provide “a digital service that allows users to perform searches of, in principle, all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input, and returns links in which information related to the requested content can be found” (Recital 18).


The Commission’s Implementing Regulation and ENISA’s guidance for DSPs

The Implementation Regulation provides further clarity for DSPs on how they will be expected to comply with the NIS Directive.

ENISA (European Union Agency for Network and Information Security) has also provided “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers”, which describes 27 security objectives DSPs are advised to take into consideration in their compliance projects.


How to achieve compliance with the NIS Directive

The best approach to achieving compliance is for DSPs and OES to implement a cyber resilience programme that incorporates measures for information security, business continuity and incident response.

International standards such as ISO 27001, ISO 27035 and ISO 22301 serve as ideal frameworks for achieving NIS Directive compliance.

The implementation of business continuity management, penetration testing and cyber incident response (CIR) management can help organisations achieve a heightened level of cyber resilience and help facilitate compliance with the NIS Directive.

Contact us today to start assessing your compliance needs >>


NIS Directive Gap Analysis for DSPs

Conducted by cyber security experts, the NIS Directive Gap Analysis highlights the shortcomings between a DSP’s information security arrangements and the requirements of the NIS Directive and Implementing Regulation.

Speak to us today for a free, no obligation quote >>


Why IT Governance?

  • Our unique combination of technical expertise and solid track record in international management system standards means we can deliver a complete solution for compliance and manage the project from start to finish.
  • As part of our work with organisations in all industries, we have managed hundreds of projects around the world.
  • We have multi-disciplinary teams that can undertake rigorous penetration testing of your systems and networks, project managers to roll out compliance implementation projects, and executive expertise to brief your board and develop a suitable risk mitigation strategy.
  • We deliver practical advice and work according to your budget and organisational needs. No company or project is ever too big or small.
  • We offer clear and transparent pricing, which means you won’t get any surprises.

Speak to an expert

Please contact our team for advice and guidance on our products and services.

top