* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [CSO Perspective](https://origin-researchcenter.paloaltonetworks.com/blog/category/cso-perspective/)
* NIS Directive: One Small ...

# NIS Directive: One Small Step for Man, One Giant Leap for Digital-Society-Kind

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fnis-directive-one-small-step-for-man-one-giant-leap-for-digital-society-kind%2F)  
[](https://twitter.com/share?text=NIS+Directive%3A+One+Small+Step+for+Man%2C+One+Giant+Leap+for+Digital-Society-Kind&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fnis-directive-one-small-step-for-man-one-giant-leap-for-digital-society-kind%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2015%2F12%2Fnis-directive-one-small-step-for-man-one-giant-leap-for-digital-society-kind%2F&title=NIS+Directive%3A+One+Small+Step+for+Man%2C+One+Giant+Leap+for+Digital-Society-Kind&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2015/12/nis-directive-one-small-step-for-man-one-giant-leap-for-digital-society-kind/&ts=markdown)  
\[\](mailto:?subject=NIS Directive: One Small Step for Man, One Giant Leap for Digital-Society-Kind)  
Link copied  
By [Greg Day](https://www.paloaltonetworks.com/blog/author/greg-day/?ts=markdown "Posts by Greg Day")  
Dec 11, 2015  
5 minutes  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[European Union](https://www.paloaltonetworks.com/blog/tag/european-union/?ts=markdown)  
[NIS Directive](https://www.paloaltonetworks.com/blog/tag/nis-directive/?ts=markdown)

The Internet is often referred to as the Wild West, a relatively ungoverned space, yet this week the European Union (EU) took a huge step forward in coming to agreement on what should be included in the forthcoming Network and Information Security (NIS) Directive. This landmark directive -- the first time the EU has legislated on cybersecurity -- aims to raise cybersecurity and resilience capabilities across the EU's 28 member nations. First proposed in 2013, it may have seemed the directive was a long time in discussion, which is really validation of how important it was to society. Carefully defining what is required and who is included was critical to encourage confidence in the ever-growing digital world, bolstering potential GDP growth with a more secure and resilient cyberspace.

### What does this mean for businesses?

First and foremost, the December 7 agreement now moves the directive into the more formal steps -- it will progress from concept into application via the development of national implementing regulations. Until now it's been easy to view this as a distant goal, timelines immediately become more predictable. Furthermore, with a defined scope of what types of organisations are covered and how, each should be looking to define their own plan now to ensure relevant compliance. Although the final text is yet to be released, much of the content has been long decided.

### Who does it apply to?

The NIS directive has requirements at both a member state level and for businesses. Member states must have a defined national cyber strategy and capabilities to manage incidents that could impact digital society, by establishing (if they don't already have one) a national CSIRT or computer security incident response team.

The directive specifically calls out obligations for "operators of essential services", or those entities that are generally part of a country's Critical National Infrastructure. The directive lists those essential services, which include as examples finance, healthcare, and energy, and requires them to have state-of-the-art cybersecurity that notifies, without undue delay, when they have significant incidents that could impact the continuity of the services they provide. Moving forward, member states will determine exactly which entities fall into these categories.

Also included are digital service providers (which was an area of much debate) and include the likes of e-commerce platforms, search engines, and cloud service providers. While the plan is that the requirements will be lighter on this group, their inclusion is a clear reflection of just how core these services are becoming to our increasingly digital society.

It's worth noting that there are strong rumours that the Data Protection Regulation reforms under negotiation are to be finalised before the end of the year which would move the reform into the closing stages.

### What should you do next?

* Now that the scope has been settled, you should be able to clearly validate if you, your business partners, and/or your supply chain will be covered, so you can validate what the implications will be for your business.
* Closely monitor implementation, especially by member states. Once the directive is published in the Official Journal of the European Union (which should occur shortly), member states will have 21 months to enact implementation regulations or laws. Timelines will become much clearer, which will allow you to define your plan for compliance.
* At the same time, monitor for the General Data Protection Regulation to similarly reach agreement in the coming months. Although a separate piece of legislation, it is on a parallel track, and its conclusion will likely add to your requirements -- pay attention to its scope and timelines.

### The right mindset is key when thinking about compliance.

In my experience, as businesses review the implications of the legislation, they can easily over focus in on the new requirement to notify. This is due to response being the largest gap for many in their current capabilities; to date, many had no mandate to do so. However, before focusing your energies on response, you should first determine if you are effectively doing all you can to prevent cyber incidents from occurring in the first place. The more you prevent, the less you will require responsive capabilities.

Cybersecurity continues to evolve at a rapid pace, yet it's very easy to slip into the habit of taking the same security measures that worked in the past. Ask yourself when you last changed a security process, or reviewed your capabilities, and whether they remain state of the art. More rudimentary is: how do you measure success; just what is the yardstick that allows you to validate the need for change? In the dynamic cybersecurity arena, continuing to do the same old things because they worked in the past typically means you are slowly slipping away from state-of-the-art capabilities.

In summary, it may seem obvious to tackle the new requirement of notification, but the greatest business benefit comes from stopping the incident in the first place. Finding the right balance between prevention and response is critical.

*** ** * ** ***

## Related Blogs

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Here's What We Can Expect as NIS and GDPR Arrive](https://origin-researchcenter.paloaltonetworks.com/blog/2018/05/cso-heres-can-expect-nis-gdpr-arrive/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Davos 2018: Hot Topics in Cyber Risk](https://origin-researchcenter.paloaltonetworks.com/blog/2018/02/cso-davos-2018-hot-topics-cyber-risk/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Don't Forget the NIS Directive in Your 2018 Priorities](https://origin-researchcenter.paloaltonetworks.com/blog/2018/01/cso-dont-forget-nis-directive-2018-priorities/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### New Report: The State of Cybersecurity in Asia-Pacific](https://origin-researchcenter.paloaltonetworks.com/blog/2017/07/cso-new-report-state-cybersecurity-asia-pacific/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### GDPR/NIS Countdown: How Ready Are Organisations to Get Their Cybersecurity in Order for the Next Decade?](https://origin-researchcenter.paloaltonetworks.com/blog/2017/05/cso-gdprnis-countdown-ready-organisations-get-cybersecurity-order-next-decade/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)

[#### Navigating the Digital Age Guide in Japan -- Why Now, Why Japan?](https://origin-researchcenter.paloaltonetworks.com/blog/2016/12/cso-navigating-digital-age-guide-japan-now-japan/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language