The Directive on Security of Network and Information Systems (NIS Directive), it was adopted in July 2016 and entered into force in August 2016. The NIS Directive is the first EU level legislation that deals with Cyber Security. The EU Member States have 21 months at their disposal after the Directive is entered into force to implement it into their national level, plus a further six months to identify and specify operators of essential services.

This directive aims to increase and harmonize the level of cybersecurity in all EU Member states, to improve the functioning of the internal market by creating trust and confidence, Member State bodies need to be able to cooperate effectively with economic actors and to be structured accordingly.”[1] Since it is a directive, it means that all EU Member States must adopt it into their national legislation, thus making it mandatory for companies to comply with NIS.

This directive will be in line with the General Data Protection Directive (GDPR), as their general aims overlap. In the past few months the GDPR has been discussed a lot, surprisingly the NIS Directive not so much. Seeing how important the NIS Directive is, we will discuss the key provisions that one must know to prepare for NIS.

Who is required to comply with the NIS Directive?

As already stated, every EU Member State must comply with the NIS Directive, but not every company is required to comply with it. Two groups of companies must comply with the NIS Directive:

1. Operators of Essential Services
2. Digital Service Providers

It is up o EU member states to determine which organizations are to be considered operators of essential services and thus subject to the NIS Directive.

Operators of Essential Services are those companies that work in the following fields: 1. Energy, 2. Transport, 3. Banking, 4. Financial Market Infrastructure, 5. Health Sector, 6. Drinking water supply and distribution and 6. Digital Infrastructure sectors.[2] Whereas Digital Service Providers are digital businesses that are considered to be of general importance when it comes to cybersecurity, such as marketplaces, search engines, cloud computing services, etc.

What measures need to be taken to comply?

We must know that there are three types of entities that must comply with the NIS Directive, those are: 1. EU Member States; 2. Operators of Essential Services and 3. Digital Service Providers.

Steps that EU member states need to take:

1. Adopt a national strategy on cybersecurity, who’s aim is similar to the NIS Directive, [3]
2. Designate a national competent authority, who will monitor the application of the NIS Directive on a national level,[4]
3. Designate a single point of contact, to ensure cross-border cooperation with the relevant authorities of Member States, [5]
4. Establish the Computer Security Incident Response Teams (“CSIRTs”), which will be responsible for monitoring incidents, providing early threat warnings, responding to incidents, and cooperating with the private sector, [6]
5. Establish a Cooperation Group in order to support and facilitate cooperation and the exchange of information among Member States.[7]

Steps that Essential Services and Digital Service Providers need to take:

1. Take appropriate measures to manage the risks posed to their security of network and information system,
2. Take appropriate measures to prevent and minimize the impact of incidents affecting the security of the network and information systems,
3. Must report incidents having a significant impact on the continuity of the essential services they provide without undue delay to the competent authorities. Expected within 24-72 hours of discovery. [8]

What are the Consequences of non-compliance?

Article 21 of the NIS Directive states that the penalties provided for shall be effective, proportionate and dissuasive. However, it does not determine what those penalties will entail, instead that is left to the individual Member States to determine themselves.

Member States are obliged to notify the Commission on the penalties they decide to implement, by the latest on the 9^th of May 2018.

Concluding Remarks

With the implementation of both the NIS Directive, EU now enters a new era of cybersecuirty. Although it is still early to say, as Member States still have time to implement the NIS Directive, it will undoubtedly change the playing field for both states and companies.  

Not a lot of time remains till the Member States fully implement the NIS Directive, so it is urgently advised for companies that do fall under this directive, to start preparing for it. The first step would be to do a “Self-Assesment”, to see where you stand and in which areas you need improving. Secondly one should find out which the national competent authorities are to whom they must report i, so that when something happens they will be able to contact them promptly within the deadline. Thirdly, companies should try to test their response time, see if they are able to comply with the daedline mentioned in the directive.

In case your company is not capable to do the above mentioned themselves, then it is highly recommended to contract someone to help you or look online for a NIS Directive toolkit or something similar which might help your company comply with the EU NIS Directive.

[1] NIS Directive, Recital 31, page 5.

[2] NIS Directive, Annex II, page 27.

[3] NIS Directive, Article 7, page 15.

[4] NIS Directive, Article 8, page 16.

[5] Ibid,

[6] NIS Directive, Article 9, page 17.

[7] NIS Directive, Article 11, page 17.

[8] NIS Directive, Article 14 and 16, page 20-21.