NIS Directive explained

01 March 2018

One of the cornerstones of the EU’s cyber security strategy, the Security of Network and Information Systems Directive (NIS Directive) will significantly expand the scope of cyber security regulation in the EU.

Essentially, the legislation aims to raise levels of security and resilience of critical infrastructure, such as power and utilities, but also digital infrastructure like cloud service providers. It entered force in August 2016 and EU member states have until May 9 2018 to apply the Directive.

The Directive requires EU member states to establish a national framework to manage cyber security incidents, including a National Cyber Security Strategy and a Computer Security Incident Response Team. It will also see member states exchange information and cooperate on cyber security and in response to specific security incidents.

The NIS Directive also applies to organisations deemed to be “operators of essential services” (OES), although it will be down to each member state to determine exactly the organisations subject to the rules. The Directive requires member states to identify operators of essential services by 9 November 2018.

The Directive does not define OES although it says that “essential” organisations would include energy, transport, banking, healthcare providers, water and digital service providers. The latter includes search engines, online market places and cloud computing services.

Under the NIS Directive, critical infrastructure providers are required to adopt a culture of risk management “to identify any risks of incidents, to prevent, detect and handle incidents and to mitigate their impact”. Significantly, the NIS Directive is not limited to preventing malicious cyber attacks as it also covers any cyber incident that could disrupt services, such as outages.

The Directive will also introduce a mandatory incident notification regime which will require operators of essential services to report “incidents having a significant impact on the continuity of the essential services they provide” without undue delay. While the NIS Directive does not specify a timeframe for the reporting incidents, member states are free to adopt their own reporting requirements.

The requirement to notify the regulator of a broad range of cyber incidents has important implications for insurance. Cyber insurance will typically cover the cost of regulatory investigations in the event of a data breach, but not necessarily for a business continuity incident. This is an area to watch and discuss with a specialist insurance broker.

Penalties for non-compliance with the NIS Directive are also not set by the Directive, and are to be determined by each member state. However, the Directive says that penalties should be “effective, proportionate and dissuasive”.

The NIS Directive is not to be confused with the EU’s General Data Protection Regulation (GDPR), which is also due to be implemented in May 2018. The GDPR applies to all sectors and is focussed on privacy and protection of personal data. However, there is some overlap between the NIS Directive and the GDPR, and together the two pieces of legislation are expected to substantially raise the bar of cyber security.

Download Cyber Newsletter

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on