Cybersecurity for startups: get compliant with NIS 1

Published on
June 12, 2023

What is the NIS 1 Directive?

As the need for cybersecurity grows, the NIS 1 Directive (Network Information Security Directive) steps in to make things secure. Its mission is to ensure a high level of cybersecurity across the EU member states. How? By setting clear requirements for certain organizations to follow. Embracing the NIS 1 Directive helps us safeguard critical infrastructure and keep our digital environment safe.

Who should care?

The directive applies to two groups: essential service providers (think water, transport, energy infrastructure) and digital service providers (like online search engines, marketplaces, and cloud computing). To figure out if a company needs to follow the NIS 1 Directive, they have to do something called self-identification, which helps the company decide if it applies to them. But here's the truth: many online businesses are clueless about whether they need to comply or not. Here's the deal:

If you provide any of these services:

  • cloud computing (IaaS, PaaS, SaaS)
  • online marketplace
  • online search engine

And you fit either of these criteria:

  • more than 50 employees
  • Annual Recurring Revenue (ARR) above EUR 10 million

You have to comply! But don’t worry. We'll break down what this means in practice for you.

How to comply with the NIS 1 Directive?

To comply, digital service providers need to protect their networks and systems. Here are the key areas you should focus on:

1. securing your systems and facilities

Implement both physical and technical security measures to minimize any risks (i.e. lock your offices, use password manager and data backup etc.)

2. handling incidents like a pro

Know what steps to follow when a breach happens (minimize the incident impact and report the attack to authorities)

3. Having a backup plan to ensure business continuity

Create a backup plan that will keep your systems running in case of any unexpected events or after a disaster already occurred

4. continuous monitoring, auditing and testing

Run regular scans to reveal issues in the security mechanisms

Perform simulated attacks to check the security of your systems

5. compliance with international standards

Be compliant with ISO standards, SOC 2 or any other relevant regulations

Want all the details? Check out the official website of the European Union Agency for Cybersecurity.

Also, there's a new version of the NIS directive coming soon. It's been approved by the European Union and will come into effect across all member states next year.

What are the penalties?

If a company fails to comply, it could face hefty fines. Each EU member state sets its own penalties, which can go up to £17 million. And importantly, a company can be penalized more than once.

Key takeaways:

  • The NIS 1 Directive is here to protect our networks and information systems.
  • It affects two groups: essential service providers and digital service providers.
  • If you're a digital service provider with either 50+ employees or an ARR above EUR 10 million, compliance is a must.
  • Cloud computing, online marketplaces, and search engines are in the spotlight.
  • Don't know if you're in the club? Self-identify or reach out to us and we’ll guide you through the process!

Eldison to the rescue!

Feeling a bit lost in the NIS 1 Directive maze? No worries! Eldison Legal has your back. Reach out to us, and together we'll keep your network and information systems safe and sound.

  1. What is the NIS 1 Directive?
  2. Who should care?
  3. How to comply with the NIS 1 Directive?

Get your regular dose of legal know-how

Join our monthly newsletter. We’ll explain legal terms in a way your grandma would understand. Want to know what you are signing up for? Check out our past newsletters here.