Network and Information Systems (NIS) Directive Readiness

What is the Network and Information Systems Directive?

On 10th May 2018, the NIS Directive came in to force, with the aim to improve the security and resilience of network and information systems across the EU, as well as increase cooperation between member states.


The directive requires Operators of Essential Services (OESs) and Relevant Digital Service Providers (RDSPs) to:

  • Take appropriate and proportionate security measures to achieve the outcomes set out by the 14 NIS principles
  • Notify the relevant national authorities of serious incidents and events

Why is this important?

1. Adhering to the directive will help you to achieve organisational resilience and respond effectively to cyber threats

2. Non-compliance could lead to significant fines and cause reputational damage

Is my organisation subject to the regulation?

Industry regulators, otherwise known as Competent Authorities (CA), have or are in the process of defining the thresholds for whether an organisation is in scope. The general descriptions of each type of organisation that is subject to the regulation is set out in schedule 2 of the NIS Regulations 2018.

What do I need to do?

As an OES or RDSP, you will need to:

  • Identify your in-scope network and information systems
  • Achieve the objectives set out by the 14 NIS principles
  • Report security incidents ‘without undue delay’ to your CA
  • Demonstrate compliance to the directive through adherence to the cross-sector guidance produced by the National Cyber Security Centre, called the Cyber Assessment Framework (CAF) and sector specific guidance issued by your CA

How can we help?

We can support you in your journey to compliance with the NIS Directive. In order to establish your present and target state, we have developed a NIS readiness assessment workshop, which, combined with our subject matter expertise, is an excellent first step and can support you in:

  • Understanding the level of cyber security maturity across your organisation
  • Developing a roadmap to improve your maturity and prepare for NIS

Frequently Asked Questions

What do I need to do now?

  1. Get Ready: Understand your level of compliance today. Discuss the NIS Directive with your organisation, see what measures you have or are intending to put in place in order to become compliant.
  2. Get on the front foot: Engage with your Competent Authority, they want to establish a collaborative approach to implementing the guidance
  3. Get Support: You know your organisation better than anyone, but you may need support in contextualizing the requirements to your organisation, as well as prioritising and implementing your roadmap to compliance. 

Who can I speak to?

If you would like to speak to us about the NIS Directive, how it will impact your organisation, or how we can support you, please get in touch with one of our team.

Contact us

Andrew Miller

Andrew Miller

Cyber Security Partner, PwC United Kingdom

Tel: +44 (0)7715 484519

James Hunt

James Hunt

Senior Manager, PwC United Kingdom

Tel: 07701 296796

Follow us