NIS – another EU Directive to follow it’s an attempt to provide a more secure IT platform for everyone

While you are all (I hope) thinking about GDPR, just a brief heads-up on another EU initiative that will also still be important post-Brexit. The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

The NIS Directive has nothing to do with GDPR directly, but there are some similarities with it and GDPR compliance may help you with NIS compliance. It comes in on the 9th May, 2018, before the UK leaves the EU, but the UK is committed to following it post-Brexit.

It is a Directive, not a Regulation, which means that, although it must still be followed, it needs to be written into the law of each member state. It has a different scope to GDPR. It applies to Operators of Essential Services (OES) in the EU; and Digital Service Providers (DSP) that offer services to persons within the EU (but not to “small” DSPs; and micro businesses with fewer than 50 people, and annual turnover less than €10 million). The maximum fine for non-compliance in the UK seems to be “only” £17million.

It is about:

  • Having appropriate technical and organisational measures to secure network and information systems;
  • Considering the potential risks facing the systems;
  • Having appropriate measures to prevent and minimise the impact of security incidents and to ensure service continuity; and
  • Notifying the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.

All good stuff, and it goes beyond mere “cyber security” to include service delivery, but I don’t think it should be confused with GDPR and the security of personal data. On the other hand, it is very appropriate to IT and Network Service Management, as it is all about providing the sort of reliable and trustworthy infrastructure needed by the Mutable Business.

There’s a UK-oriented Compliance Guide here. But remember that It also applies to service providers that do business in the EU but are not based in the EU. The EU documentation on NIS is available here, and should be read in conjunction with any UK-specific guidance. In Paragraph 65, the EU documentation covers the case of “a digital service provider not established in the Union [which] offers services within the Union” and the designation of a representative in the EU, in some detail.

David Norfolk

My current main client is Bloor Research International, where I am Practice Leader with responsibility for Development and Governance. I am also Executive Editor (on a freelance basis) for Croner's IT Policy and Procedures (a part-work on IT policies). I am also on the committee of the BCS Configuration Management Specialist Group (BCS-CMSG). I became Associate Editor with The Register online magazine – a courtesy title as I write on a freelance basis – in 2005. Register Developer, a spin-off title, started at the end of 2005, and I was launch editor for this (with Martin Banks). I helped plan, document and photograph the CMMI Made Practical conference at the IoD, London in 2005 ( I have also written many research reports including one on IT Governance for Thorogood. I was freelance Co-Editor (and part owner) of Application Development Advisor (a magazine,, now defunct) for several years. Before I became a journalist in 1992, I worked for Swiss Bank Corporation (SBC). At various times I was responsible for Systems Development Method for the London operation, the Technical Risk Management framework in Internal Control, and was Network Manager for Corporate group. I carried out a major risk evaluation for PC systems connecting across the Bank’s perimeter to external systems and prioritised major security issues for resolution by the Bank’s top management in London. I also formulated a Security Policy for London Branch and designed a secure NetWare network for the Personnel Dept. Before 1988 I was an Advisory Systems Engineer in Bank of America, Croydon in database administration (DBA). on COBOL-based IMS business systems. Before 1982, I worked in the Australian Public Service, first as a DBA in the Dept of Health (responsible for IMS mainframe systems) and latterly as a Senior Rserach Officer 2 in the Bureau of Transport Economics. Specialties: I have the ability to extract the essence of significant technical developments and present it for general consumption, at various levels, without compromising the underlying technical truth.

Have Your Say: