The NIS (Network and Information Security) Directive is an EU-directive that sets security demands aimed to improve the overall protection of critical infrastructure for essential and certain digital services. All organizations that are regarded as essential services must work systematically with their information security - and demonstrate compliance.
NIS (The Directive on Security of Network and Information Systems) is the first EU directive to increase cyber security throughout the EU. On May 9th, 2018, each EU member state must have implemented NIS in its local legislation. The NIS directive sets requirements for cyber security in networks and information systems. The law covers private and public providers of vitally important services – or so-called operators of essential services. The background to NIS is the growing threat to all types of organizations - not least from foreign powers.
To strengthen the internal market and reduce susceptibility, NIS requires essential community services to adopt a systematic and risk-based security approach and report incidents.
According to NIS, organizations providing vitally important services have several primary obligations:
On December 16th, 2020, a proposal was submitted to the European Commission regarding a new NIS directive called NIS 2 or NIS 2.0. A revision of NIS, which, if adopted, will affect more sectors to comply with NIS. Vitally important services include postal and courier services, waste management, chemicals, food, manufacturing of other medical devices, computers and electronics, machine equipment, motor vehicles, and digital suppliers. When NIS 2 will come into force has not been determined, and the proposal is under evaluation. Once the directive is adopted, each EU member state will have 18 months to implement the directive as local legislation.