AbleToTrain by Willing & Able

NIS Directive – Step-by-step Guide for companies – part 1

Fines of up to 5% of turnover can be imposed under the NIS Directive or the European Union Directive no.

If your company provides key services like medical, banking, drinking water supply and distribution, transportation, or digital services, it’s critical to think about how you can keep a basic level of security. The cybernetics of your company’s networks and computer systems.

In this post, we’ll go over what the NIS Directive implies for your business, why you need cybersecurity in this environment, what you risk if you don’t comply with the law, and what technical actions you’ll need to take to comply.


  • What does NIS mean?

  • Why was a cybersecurity directive needed?

  • Transposition of the NIS Directive into national law

  • Who should apply the provisions of the NIS Directive?

  • Why does your company also need cybersecurity measures in accordance with the NIS Directive?

  • What obligations do you have according to NIS?

  • What technical rules do you have to follow? List for OSE

  • The first step in developing the cybersecurity rules specified by NIS

  • Step 1-Ensuring information security management

  • Step 2-Where can you expect a cyber attack? Ecosystem mapping

  • Step 3-Establish ecosystem relationships

What does NIS mean?

NIS is an acronym for Network and Information Security, as well as the title of the first European Cyber Security Directive (Directive on security of network and information systems). The NIS Directive, which was adopted by the European Parliament on 6 July 2016, requires it to be converted into national law by 9 May 2018, after the identification of essential service operators, or organizations to which the Directive applies, by 9 November 2018.

Why was a cybersecurity directive needed?

In summary, businesses of all sizes have become reliant on a variety of computer systems and services, which has piqued hackers’ interest. Because the number of security incidents has increased dramatically in recent years, MEPs have stated that all Member States should take this matter seriously.

This is in the backdrop of EU members’ varying levels of preparedness for cyber-threats and unequally ensuring consumer and commercial safety. The implementation of this Directive, on the other hand, aims to bring all enterprises in the Member States to the same high degree of network and information system security in relation to the risks involved.

The NIS Directive’s goal is to protect European people by requiring vital industry businesses to adopt a set of standard procedures and methods to ensure a high level of cyber security across the board. Furthermore, the Directive establishes the framework for Member States to collaborate in identifying and eradicating cyber theft networks.


Who should apply the provisions of the NIS Directive?

Law no. 362/2018 on ensuring a high common level of security of networks and information systems targets two categories of companies:

1.Essential Services Operators (OSEs) from 7 sectors of activity vital for the economy:

1.1 energy;

1.2 transport;

1.3 the banking sector;

1.4 the medical field;

1.5 financial market infrastructure;

1.6 digital infrastructure;

1.7 supply and distribution of drinking water.

2.Digital Service Providers (Digital Service Providers), respectively:

2.1 online markets;

2.2 online search engines;

2.3 cloud computing services.

Most of the requirements we’ll discuss in this post won’t apply to you if you’re a digital service provider who falls into the SME category.

However, it is important to study the Methodological Rules for the Identification of Essential Service Operators and Digital Service Providers in order to be certain of the company’s standing with regard to the NIS Directive. They’re in the Official Gazette, Part I, No. 584, dated July 17, 2019. In addition, Decision no. 963/2020 contains a list of important services.

Why does your company also need cybersecurity measures in accordance with the NIS Directive?

Noncompliance with the Act aimed at guaranteeing a high common level of cyber security can result in fines ranging from 3,000 lei to 5% of turnover.

Beyond the legal duties, and even if this legal framework does not apply to your organization, taking the necessary steps to maintain a high degree of cyber security is the insurance you pay to avoid material and image damage. if there is a cyber-attack.

According to a recent report by SAS, the world leader in analytics, there are conditions in place for 2021 to be the year of digital fraud.

So, if you’ve previously invested in digitization or enabled teleworking, your company’s IT network has most likely expanded. As a result, you must ensure that your company’s networks and IT systems are safe and that no financial losses occur.