What is the Network Information Systems Directive (NIS)?

History of cybersecurity in the EU

What is the Network Information Systems Directive (NIS)?

The Network Information Systems Directive (NIS) is part of a wider general cybersecurity regulation applied by the European Commission in 2018. It aims to support international cybersecurity prevention and reaction measures, protecting both the public and more specific critical industries.

History of cybersecurity in the EU

Information security in the European Union has long been a struggle as the individual politics of each country have played a part in how collaborative they have been. While the United States have approached the problem centrally with one US Cybersecurity Agency, the same cannot be said for Europe.  

Instead of offering a true open-source environment, certain information has previously been closed off in order to protect the individual interests of each Member State. Furthermore, some countries have not previously had access to a competent authority team for protecting their information system.

Now though, the Network and Information Systems Directive (NIS) has been introduced as the first piece of EU-wide legislation created to to standardise the systems and practices used to protect the cyber interests of the EU as a collective. Moreover, it aims to protect the function of every essential service, even while under cyber security attack.

This regulation will ensure that every EU Member State is using the latest methods, e.g. a Computer Security Incident Response Team, to prepare for cyber risks.

Features of NIS

The overarching purpose of NIS is to protect companies inside the EU against cybersecurity infiltration and attack. As the cybersecurity landscape evolved, so too did NIS, with the EU suggesting that it was necessary to implemented the Directive “quickly”.

These security measures have been introduced to keep data private and prevent sensitive information from falling into the wrong hands. Where inter-country tensions are currently extremely high in Europe, it will prove incredibly necessary for this EU directive to hold up successfully.

National capabilities

The national capabilities requirement of NIS refers to each individual country overseeing its cybersecurity measures. The securing of networks, information, and systems is important and not just a performative measure; it must be actually implemented. 

One example of this is that every country must establish a national cybersecurity plan. This includes defining what is actually deemed a ‘critical’ situation, as well as providing a process to work through in response to the occurrence of a crisis. The criteria for a crisis being over must also be defined, as well as who has the authority to handle it. 

Cross-border collaboration

The second part of the NIS cybersecurity strategy is cross-border collaboration. This feature refers to the sharing of information and digital infrastructure between the totality of the EU.

Collaboration can become the strongest weapon when averting a crisis situation since computer scientists need as much information as they can get. Furthermore, sharing data allows analysts to spot patterns in an organisation and predict future trends (as well as a cyber threat) more easily. 

A couple of the NIS collaboration strategies include having every EU country operating within the CSIRT network and taking part in the strategic NIS cooperation group. They work alongside the Digital Operational Resilience Act, which performs penetrative testing in the financial services industry.  

Critical sector supervision

The final section of the NIS directive specifies the supervision of critical entities; specific to certain key industries that help European nations function in the case of a cyber incident. These include health, transport, water, energy, and of course, the financial sector. 

The regulation requires a national supervision team for across these sectors for EU member states to ensure that best practices are being followed. It works in support of the European Securities and Markets Authority, specifically in the financial services industry. 

A recent report found that many of the risks around complying with regulation were centred around a lack of skill and tools. So, this part of the directive enables better cyber resilience and easier identification of any security risk or security incident with an overarching team. 

Who must comply with NIS?

NIS applies to all financial services and adjacent companies since they are considered critical infrastructure industries. This means that as well as following the general framework, NIS compliance includes the cyber assessment framework, which reveals best practices in states of compromised cybersecurity. 

Moreover, financial institutions must follow the ENISA supporting guidance, and publish their own set of cybersecurity resilience measures. This applies to essential services only and aims to protect the personal data of their customers. 


Understand your cybersecurity obligations with CUBE.


Related resources

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

Regulatory Risk Management: How will Executive Order 14028 change the cybersecurity landscape?

What is Executive Order 14028 and who must comply with the US regulation? And will it affect the cyb...

What is the US’ Community Reinvestment Act?

What is the US’ Community Reinvestment Act?

Are you aware of the latest updates to the Community Reinvestment Act in the US? Learn more about fi...

What regulations are there for the payment services industry?

What regulations are there for the payment services industry?

Discover the regulations shaping payment services, from PSD2 to AMLD6. Stay compliant with CUBE's in...

What is the CISO (Chief Information Security Officer) responsible for?

What is the CISO (Chief Information Security Officer) responsible for?

CISO's face a number of challenges with regulations constantly changing. Learn more about some of th...

View More