Skip to main content

What is the NIS Directive?

To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.
Learn how!

The NIS Directive, The Directive on security of network and information systems, is a directive, i.e. it is translated into each member state’s national legislation. This means that there may be differences in application.


What is the purpose of the NIS Directive?

The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.



What is the story behind the NIS Directive?

Digitalisation not only creates business opportunities but opens more attack vectors to systems. The number of cyberattacks has increased sharply over the recent years, not only from criminals and script kiddies but also from state-funded forces with great endurance and vast resources. Raising information security within critical infrastructure raises society’s readiness for external disturbances.


What practical effect does the NIS directive have?

The NIS Directive tightens the requirements for information security in terms of integrity and availability. It is important to take people, processes and technology into account to ensure information security in the affected organisations. Better understanding in general of information and system risk classification together with impact contingency and action plans is necessary to improve resistance to attacks. Incidents are to be reported as part of increasing knowledge and raising preparedness.


What do operators need to do?

To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.

Cybersecurity entails more than mere technology. In order to create sustainable protection, systematic analysis of assets, threats and risks is required, including also processes and human aspects.

It is neither practical nor economically justifiable to protect all information the same way. Therefore, the first step is to identify information essential to operations. With this basic understanding, necessary measures can be pinpointed and prioritised.


what is the nis directive


To raise cybersecurity of critical infrastructure in general, strict segmentation of industrial control utility systems (ICS/SCADA) has to be applied, combining logical separation with physical separation. This means keeping separate domains in the architecture isolated and allowing only very specific information to flow in-between. An effective way is to achieve this is by using products that replace manual management of information (air gap) and connect OT with IT systems at the highest level of security.

To provide NIS appropriate security for your IT and OT you need to be in full control of your information security domains.


Today in the ever interconnected and digitalisation driven reality, fully air-gaped solutions is no longer a viable alternative. You need to allow information to travel between domains an you need to stay in control. You need Cross Domain Solutions.




Potential new directive – NIS 2

Section added in February 2021.

The initial NIS directive included a process to conduct regular review of itself. This has led to a proposal for a directive for countries in the EU about measures for high common level of cybersecurity – this is called NIS 2. Once the new proposal is agreed upon, member states in the EU have 18 months to apply the new NIS 2 Directive.

Deficiencies in the NIS Directive

The proposal for NIS 2 contains aspects that meet deficiencies with the original NIS Directive. These deficiencies where found:


  • Business in the EU do not have a sufficient level of cyber resilience (cyber resilience is the resistance to a possible cyberattack, but also the ability to keep capacity up during an attack, and how well you return to your original capacity after an attack)
  • There is inconsistency between member states and sectors concerning cyber resilience  
  • There is not a sufficient understanding among member states about present threats and challenges, as well as not having a joint crisis response 




New additions in NIS 2

Based on these deficiencies, new additions have been made, creating the new proposal NIS 2. These are the most prominent new additions: 


  • New sectors (list further down)
  • Higher demands on security and reporting, where a minimum requirement list must be followed
  • Security of supply chains and suppliers 
  • Stricter supervisory measures for national authorities
  • Elimination of the distinction between operators of essential services and digital service providers 
  • Stricter supervisory measures for national authorities, firmer enforcement requirements
  • Aims at harmonising sanctions regimes across member states, enabling that administrative fines should be issued
  • Enhancement of the role of the Cooperation Group, and increasement of information sharing and cooperation between member state authorities


Who is affected by NIS 2?

In the new proposal, new sectors have been added based on how vital they are for society and the economy. A wider range of companies within each sector will also be included.

In the current NIS Directive, there are seven affected sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply and digital infrastructure. These sectors will be joined by manufacture of pharmaceutical products including vaccines and of critical medical devices, public administration, and space.

Other important entities that will also be affected are postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers.

Within each affected sector, all large and medium sized businesses within the EU will have to comply. Smaller businesses can also be affected if deemed necessary due to their profile.


Need help?

When you start working with security protection, the first step is to carry out a security protection analysis. Identifying the most important information assets of the business also identifies the measures that need to be taken in order of priority.

To learn more about how to protect your most important information, read more about information security!

Do not hesitate to contact us at Advenica! 

New call-to-action