The NIS Directive is an EU (and UK) regulation that aims to strengthen the cyber resilience of critical infrastructure. It requires organisations to prevent risk incidents from occurring that could disrupt operations, and react swiftly if they do occur, for minimal impact. Originally adopted as NIS1 and later reinforced through NIS2, the framework expands both the scope of covered entities and the level of cybersecurity risk management and incident reporting obligations across critical sectors.
Including events caused by compromised third parties, compliance with the NIS Directive requires a comprehensive security strategy. Trustpair supports risk management with incident prevention measures like securing supplier bank data and preventing vendor payment fraud.
Cybersecurity Law: NIS Directive Key Takeaways
- The NIS Directive is an EU regulation that enforces robust cybersecurity measures for operational resilience
- Two types of entities must comply with NIS, including operators of essential services (OES) and digital service providers (DSPs)
- If you fail to apply the NIS Directive, you could experience significant cybersecurity incidents, leading to regulatory investigations, fines and leadership penalties
- Reach NIS compliance through applying the correct cybersecurity strategy, performing constant monitoring and implementing automated internal controls
NIS Directive: definition and requirements
The NIS Directive refers to the EU’s legislative framework on network information and security. As of 2016, the regulation has applied to critical services like healthcare and water, ensuring that providers take the most robust cybersecurity measures and focus on business continuity when incidents do arise.
NIS2 came into effect in 2023 to strengthen the critical services against the evolving threat landscape. It goes hand-in-hand with other regulations like the Digital Operational Resilience Act (DORA), and GDPR to protect critical information against cyberthreats.
NIS Directive requirements include the following:
- IT risk management: take organisational and technical measures to secure your network and information systems, with a particular focus on data governance strategies
- Business continuity: take the appropriate measures to minimise the impact of potential risk events
- Early warning reporting: Report early warning signs of incidents within 24 hours of becoming aware of them
- Detailed incident reporting: report incidents of ‘significant impact’ or ‘substantial impact’ (depending on the entity type) within 72 hours of becoming aware of them
Due to these factors, comprehensive cybersecurity plans may best be able to help you avoid disruptive incidents. Aligning strategies with international standards helps firms go one step further in protecting against risk events, and may also provide a competitive advantage when it comes to securing high-value contracts.
From NIS1 to NIS2: what are the differences?
The original NIS Directive (NIS1) focused mainly on operators of essential services and certain digital service providers, requiring baseline security measures and incident reporting for their network and information systems. With NIS 2, the European Union significantly expands the scope to cover more critical sectors and a broader range of essential and important entities, including cloud computing services, financial market infrastructures, and other digital infrastructure sectors.
NIS 2 introduces stricter cybersecurity risk management measures, clearer reporting obligations, stronger oversight from national competent authorities, and higher financial penalties for non compliance—aiming to improve cyber resilience and coordinated management of cybersecurity incidents across EU member states.
Who has to comply with the NIS Regulations?
Organisations that must comply with NIS regulations are those deemed to be providing ‘critical’ services. This involves two key types of entities:
- Operators of Essential Services (OES): including those in the energy, water, healthcare and transport sectors – known as essential entities
- Digital Service Providers (DSPs): making up the digital infrastructure, including online search engines, online marketplaces and cloud computing services – known as important entities
One exception: the regulations don’t apply to DPSs that are considered ‘micro’ or ‘small’ enterprises. Companies that have less than 50 employees, and a turnover of less than €10 million therefore don’t need to comply with the NIS Directives
The requirements differ slightly depending on which category you belong to, with essential entities (OES’) facing stricter requirements:
| Factor | OES | DSPs |
| Identification as a NIS-compliant entity | Identified by the authorities | Must self-identify |
| Monitoring for compliance | Actively monitored through audits | Generally not audited, but may be investigated following an incident |
| Reporting reason | Must report anything that has a “significant impact on the continuity of the essential service” | Must report anything that has a “substantial impact on the provision of a service”. |
| Registration | Must proactively register with the regulator | No requirement to register |
Importantly, it’s up to compliant organisations themselves to determine whether any incident meets the thresholds for reporting. Here are the main between incidents of significant and substantial impacts:
| Factor | Significant impact | Substantial impact |
| Loss of service | More than 5 million user hours | More than 750,000 user hours |
| Loss of confidentiality, integrity, availability or authenticity of data access over IT systems | More than 100,000 users | More than 15,000 users |
| Risks created by the incident | Public safety or security risks, or loss of life | Public safety or security risks, or loss of life |
| Material damage to at least one user | More than €1 million | More than €850,000 |
What are the consequences if you don’t apply the NIS directive?
Companies that don’t comply with the NIS Directive can expect heavy fines, managerial liability, and significant reputational damage.
For essential entities, the fines could total up to €10 million or 2% of annual turnover (whichever is highest). For important entities, it sits around €7 million or 1.4% of annual turnover. Within member states of the EU, each national authority also has the power to suspend licenses and even operations, temporarily, in order to enforce compliance.
NIS2, the second iteration of the NIS Directive, also brought in individual accountability. In cases of severe failings, leadership teams can be held accountable – including losing their jobs or certifications and receiving individual penalties.
For some companies though, the ‘name and shame’ will be the worst consequence of all. Regulators have the power to make entities issue a public notification that details their non-compliance, the nature of the breach, and those responsible. It’s this type of notice that generally leads to further financial damage like stock prices falling or shareholders pulling out, and negatively impacting public sentiment which can stall growth.
How can businesses reach NIS compliance?
Businesses can reach NIS Directive compliance by rigorously implementing internal control measures, which must be documented, archived and accessible in case of audits or incidents. These control measures can include:
- Risk analysis: initial assessment and ongoing risk monitoring, especially for risks that evolve
- Incident handling plans: including direct response, investigation plans and reporting templates
- Business continuity and crisis management plans: including access control changes, minimum operational systems
- Supply chain security: monitoring, authentication, acquisition (leavers and joiners), supplier database maintenance
- Security testing and incident: including penetration testing, vulnerability identification and remediation
- Board involvement: with the oversight and accountability requirements, the board must play an active role in NIS compliance
It’s important that firms implement ownership matrices so that accountability trails are clear. Moreover, entities must consider their entire supply chain in their business continuity and operational plans, as without such controls, one weak link could be enough to ‘break’ the whole chain. Therefore, compliant organisations should take steps to by securing supplier bank account data and preventing payment fraud, which Trustpair facilitates to support NIS risk management and incident prevention.
Finally, active compliance means ongoing supplier monitoring and risk detection. Moving from annual cycles to event-triggered reviews and automated reminders alleviates reliance on humans (and the risk of error), enabling firms to avoid significant incidents.
To learn more about how Trustpair can support your compliance efforts and prevent payment fraud, talk to a member of the team.
NIS Directive: a critical cyber security regulation
The NIS Directive asks critical service providers like banks, train operators and postal services to operate with operational resilience against cybersecurity threats. Support compliance efforts to prevent incidents and manage risks by partnering with platforms like Trustpair, for a secure supplier database, ongoing verification and payment fraud prevention.