Thinking beyond compliance

Challenge: EU NIS Directive Compliance

As we move ever deeper into the digital age, our society and economy are becoming increasingly dependent on networks and information systems to function.

The Directive on Security of Network and Information Systems, or NIS Directive for short, was first introduced by the European Union (EU) in 2016. The reasoning behind the directive is understandable: we have entered an era where cybersecurity – or lack thereof – concerns us all. Cyberattacks like the BlackEnergy3 malware-based cyberattack in Ukraine and the NotPetya malware have brought devastating effects in recent years.

Key services can and will grind to a halt when new threats succeed in targeting them effectively. This makes the EU-wide push for improved cybersecurity a very welcome development. Besides the intrinsic benefits that improvements will bring, there are consequences to noncompliance (fines are determined by local legislation). How can organizations identify and meet their ongoing cybersecurity responsibilities?

Our solution: Beyond ticking the boxes, to a unified approach

We identified seven key steps organizations should follow to become compliant with the NIS Directive:

1. Threat detection. In order to comply with the NIS Directive, organizations must have mature or advanced threat detection systems in place that are capable of identifying anomalous events and security risks proactively.

2. Incident management. Mature or advanced incident management capabilities should likewise be pursued, allowing organizations to minimize the impact of cybersecurity breaches and restore services quickly.

3. Incident reporting. Organizations must adopt standardized incident reporting mechanisms to ensure that significant cybersecurity incidents are reported to CSIRT within 72 hours of the event.

4. Real-time incident simulations. To demonstrate compliance, organizations must regularly carry out real-time incident simulations and keep a record of the results for future reference.

5. Accurate logging data. Organizations must also maintain a record of logging data that will allow authorities to assess the security of their networks and information systems.

6. Evidence of implementation. In addition to updating security policies to reflect the requirements of NIS-informed local law, organizations must be able to provide evidence that said policies have been implemented effectively.

7. Security audits. Finally, organizations must keep a record of all security audits for future references. It is important that these audits are carried out in accordance with local law (by certified institutions, if necessary).

This is what organizations need to do to be compliant – but that doesn’t mean compliance should be their only goal. With new threats emerging every day protecting these systems is an urgent priority – one that requires a unified approach to cybersecurity. A strong cybersecurity framework isn’t limited to the scope of the NISD. Nor is it limited to the scope of the GDPR, for that matter. It should comfortably include both – and more. An approach that goes beyond ticking the boxes and focuses on identifying, understanding and mitigating tomorrow’s vulnerabilities.

Results: Cybersecurity transformation is worth the investment

The message behind the NIS Directive is clear: implementing an effective cybersecurity framework is an essential part of doing business in the twenty-first century. Imagine if hackers were to breach a major organization’s network. In addition to making off with a wealth of user data, they also manage to cripple vital infrastructure, taking key services offline for long stretches of time. In this scenario, the organization may be held liable and hit with fines twice – both under the GDPR and the NIS Directive.

In situations like these, there are no quick solutions after the fact. Attacks can only be resolved by recovering and restoring system configurations from before the breach. It’s not just a matter of turning the affected systems off and on again. Disruption of business operations is inevitable. Key services will grind to a halt when new threats succeed in targeting them effectively.

Using our technical and industry-specific expertise we developed targeted services to assist our clients in their cybersecurity transformations, with additional attention for the areas we identified as posing further challenges: lowering incident response times and promoting security throughout the supply chain.

Related opportunities

  • Would you be confident enough in your knowledge to advise a company to follow a full digital transformation? Maybe Strategy & Consulting could be a good fit for you
  • Do you think you would enjoy finding effective solutions for complex technology implementation problems? Then maybe you would be great in Operations or Technology
  • Would you want to explore the possibilities that come with new technologies or develop fantastic user experiences? Try Interactive or Technology


Our recruiters are happy to help you navigate the application process, so get in touch!


The joy of the unplanned

View project

Things needed to change

View project

Going beyond GDPR compliance with Bonnier

View project

Reinventing customer service

View project