NIS Directive
The Directive on Security of Network and Information Systems
The Directive on Security of Network and Information Systems (NIS Directive) ((EU) 2016/1148) aims to achieve a high common level of network and information systems security across the European Union in three ways:
- Improving cyber security capabilities at the national level.
- Increasing cooperation on cyber security among EU member states.
- Introducing security measures and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) and digital service providers (DSPs).
Consequences for non-compliance
Member States are required to set their own rules on financial penalties and must take the measures necessary to ensure that they are implemented. It is likely that Member States will implement tough penalties similar to that of the GDPR (General Data Protection Regulation).
Who must comply?
The NIS Directive applies to OESs that are established in the EU and DSPs that offer services to persons within the EU. The Directive does not apply to hardware and software developers or digital service providers that are considered small and micro businesses. (Companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million).
Affected sectors
- Banking and financial market infrastructures;
- Digital infrastructure;
- Energy;
- Healthcare
- Transport and;
- Water.
Compliance requirements
- Business continuity management;
- Compliance with international standards;
- Incident handling and reporting;
- Monitoring, auditing and testing and;
- Security systems and facilities.
Our proposition
Implement a cyber resilience programme that incorporates the following:
- Robust cyber security defences;
- Adequate cyber risk preventative measures and;
- Appropriate tools and systems to deal with and report incidents and data breaches.