What does the Network and Information Security (NIS) Directive mean to EU businesses?

We all know that cybercrime does not respect European borders. In response to increasing cyber threats, the European Commission has created the Network and Information Security (NIS) Directive, which is set to be adopted imminently.

The European Commission states that one of its top priorities is to create a ‘Digital Single Market’. It claims that this will generate around €250bn (£200bn) in additional business, as well as creating many new jobs. The NIS Directive aims to protect this mark.

What is the NIS Directive?

Work on formulating the NIS was started in 2013 and is in its final stages. The Directive has three main aims:

• Improving Member State cooperation in both public and private sectors
• Improving cybersecurity in European States
• Mandating essential service companies such as transport, banking, energy and health to have risk management protocols. They must also report cyber security breaches to the authorities.

The European Commission believes that the NIS Directive will result in consumers having more confidence in the security of the technologies that they use every day. Digital networks that operate across European borders will be regarded as reliable. Having secured reliable networks will increase the business of European countries.

What are essential services?

The Directive is mainly aimed at “essential services” and digital service providers. There are five essential service sectors:

1. Energy – including energy production, storage and distribution
2. Transport – Air travel, road, rail and sea travel operators and ancillary services such as air traffic control, railway stations and ferry terminals
3. Financial services – Banking, credit institutions and stock exchanges
4. Healthcare – Including hospitals, GP surgeries, and private sector healthcare businesses. Water supply and distribution also comes under the health sector
5. Digital infrastructure – operators of the key internet infrastructure

The Directive will cover both EU-based companies and ones based outside the EU that provide essential services within it.

Actions required

Essential service providers must operate risk management procedures to secure the safety of their online services. This includes managing any security breaches and implementing back-up systems that will continue services in the event of a security incident. Businesses need to continually monitor, audit and test their systems.

If a system is breached or experiences a cyber attack, a full report needs to be filed to the Member State in which the security incident took place. This report must include the numbers of users affected by the incident, how long the incident lasted, which geographical area was affected and the extent of service disruption. Incident reports should also provide estimates of the economic and societal impact.

All companies affected by the NIS Directive will need to create and implement a NIS policy for all their IT and information systems. They must have procedures for reporting incidents. Large companies will need a response team that’s fully trained in reacting to security incidents.

Is the NIS Directive enough?

The NIS Directive is designed to produce a co-ordinated response to European cyber threats. What has not been made clear is how the European Community will regulate the Directive so that companies in all Member States adopt the same approach. Some countries, including Germany and France, tend to use legislation to enforce cyber security policies, whereas the UK likes to encourage industry to adapt a voluntary code of practice.

The Directive leaves it up to Member States to decide precisely which companies are classed as essential services, and this may lead to inconsistencies in different countries.

In the original proposals, ecommerce platforms, social networks, cloud service, search engines and app stores were included in the digital infrastructure category. These categories were then removed by the European Parliament and digital infrastructure was then defined as those “essential for the maintenance of vital economic and social activities”. Some countries, including France and Germany, want to widen this definition to return the excluded industries to the digital infrastructure classification. Social network, cloud services and search engine providers are against this, as they claim that complying with the Directive will be very costly.

What happens if Britain leaves the European Union?

It would be remiss not to consider that a referendum about Britain leaving the European Union takes place in June. If Britain does exit the EU, then the NIS Directive will not apply to it. This means that Britain must create its own cyber security policies. The easiest way to do this would be to essentially mirror most of the NIS Directive. If the government decides that the NIS Directive is a good system, then copying it makes sense.

If a UK company provides essential services in European countries outside of the UK, then these operations will still be covered by the NIS Directive if Britain leaves.

Due to high-profile hacks in recent months such as those involving TalkTalk and Ashley Madison, the public are concerned about cyber security. Whether Britain stays in the EU or not, there remains the need for robust cyber security policies. Good cyber security is essential for all businesses that have an online presence, whether they are regarded as essential services or not.

Security breaches can be costly. TalkTalk, for example, lost around 250,000 customers following its security breach and this had significant impact on the telecommunications firm’s revenue. Most companies need to spend money hiring top cyber security personnel and implementing robust security systems.

Beyond Europe

The Network and Information Security Directive is a response to the increased threat to essential European services posed by cybercrime, but it is not just a European threat. U.S. President Barack Obama has said:

“America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”

As the internet does not recognise borders, many believe that the cyber threat requires a coordinated international response. The International Cyber Threat Task Force was set up with the belief that:

“It takes a network to defeat a network. We enable people from all over the world to learn, work, share and collaborate together to defeat cyber threats.”

The European NIS Directive may be effective in reducing cybercrime, but a wider worldwide response may also be needed.

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • RANT Events
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001





Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?


Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you


Thank you for successfully uploading your CV.

Acumin Alerts


Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.



Thank you for submitting your vacancy.


Create an account to register your contact details, sign up for job alerts and upload your CV


Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management

Submit a Vacancy

Use the form below to submit a vacancy