The purpose of the NIS directive is for providers of essential services to work with risk-based security. This entails, among other things, requirements for both a reporting obligation for incidents as well as continuous work in a structured and methodical manner according to accepted standardized frameworks. Safety assessments and subsequent action plans must also be documented and monitored annually. How is this work progressing in your organisation? Have you started to work for compliance with all the requirements?