What is the NIS Directive?

The Network Information Systems Directive (NISD) establishes a baseline level of security requirements for network and information systems to ensure the continuity of essential services. It was adopted as UK law and implemented on the 10th May 2018.

What are the risks of non-compliance with the NIS Directive?


The risks of non-compliance can be both financial and reputational. For organisations approaching NIS Directive thresholds, last minute or hasty implementation of compliant controls could be expensive, unnecessarily disruptive and more likely to be implemented in a manner that creates unnecessary operational inhibitors.

  • Financial Read more Read less

    In the UK, non-compliant organisations may be fined up to £17 million. The potential penalty may vary between sectors and be assessed by the Competent Authority to each assigned Operator of Essential Services.

  • Reputational Read more Read less

    The reputational risks associated with any operational disruption—due to full or partial non-compliance—could be significant.

  • Legal Read more Read less

    The risk of collective ‘Class A’ legal action from users affected by service disruption is likely to grow; matching the comparable growth from GDPR legislation.

Ready to get started? Speak to one of our experts.

If you have any questions about our services or would like to learn more about our consultants here at PGI, please get in touch with us and speak with one of the team, call us on +44 (0)845 600 4403 or email us at sales@pgitl.com

Get in touch
  • Managing security risk


    Appropriate organisation structures, policies, and processes are in place to understand, assess and systematically manage network and information system security risks

  • Protecting against cyber attack


    Proportionate security measures are in place to protect services and systems from cyber attack

  • Detecting cyber security events


    Capabilities to ensure security defences remain effective and to detect cyber security

  • Minimising the impact of cyber security incidents


    Capabilities to minimise the impact of a cyber security incident and restoration of services, including notification of any incidents to the relevant Competent Authority

Which organisations does the NIS Directive apply to?

It applies to:

  • Operators of Essential Services (OES): Transport, Water, Energy, Health and Digital Infrastructure sectors
  • Digital Service Providers (DSPs): online search engines, online marketplaces and Cloud computing services employing more than 50 people and an annual turnover above £8.7 million.

These services are increasingly dependent upon critical technologies. If these are disrupted, then public services will suffer as a result. There is a different operational capacity threshold for each sector – organisations above this threshold must adhere to NISD principles and it is recommended that operators below the threshold should also aim for compliance.

It is important to note that affected sectors may be widened, and/or the current thresholds may be adjusted in the NCSC’s first review of the criteria in 2021.

How we help you reach NIS Directive compliance


A Maturity Model will clearly identify any existing non-conformities in your compliance against the measures set by the respective Competent Authority. PGI will then work with you to close the network and information security gaps with as little operational impact as possible.

  • Maturity Modelling Read more Read less

    Our consultants work on-site with your team to review how your existing current security posture and controls align to the principles outlined in the Cyber Assessment Framework developed by each Sector’s Competent Authority.

    From this assessment, our consultants produce a report that depicts, verbally and graphically, the areas where compliance already exists and those areas where it doesn’t (including the measurable shortfall to non-compliance).

    We will recommend measures needed to close the gaps. This will help your organisation to clearly prioritise investment to achieve overall compliance.

    Learn more about maturity modelling

  • Implementation Read more Read less

    Once your NISD maturity levels have been identified and a compliance road map has been set, our consultants can either support your business to achieve compliance or where a client wishes to implement them using internal resources simply return to do a subsequent model.

    Because the scope of your implementation plan is based on your current security posture, you will only be spending time, resource and money on the controls that need adjusting or re-evaluating for NISD purposes.

    Importantly, implementing the NISD regulatory requirements correctly should not disrupt your operations.

Why choose PGI’s Maturity Modelling services?

Every business is different. Different size, scope, complexity, structure, sector and level of security needed that is appropriate to your level of risk.

We take a bespoke approach to our Maturity Modelling, specifically aligning it to your respective sector’s NISD Assessment Framework. We will gain a full understanding of all aspects of the business we are working with and what you already have in place. This allows us to recommend the most pragmatic and cost-effective route to achieving compliance.

It doesn’t have to be complicated, nor operationally disruptive.

Since 2013, we have successfully supported large critical service providers within transport, energy, health, water and digital infrastructure to identify and implement practical, cost effective information and cyber security solutions.

Want to find out more?