Cybersecurity for startups: get compliant with NIS 1

3 min readJan 4, 2024

What is the NIS 1 Directive?

As the need for cybersecurity grows, the NIS 1 Directive (Network Information Security Directive) steps in to make things secure. Its mission is to ensure a high level of cybersecurity across the EU member states. How? By setting clear requirements for certain organizations to follow. Embracing the NIS 1 Directive helps us safeguard critical infrastructure and keep our digital environment safe.

‍Who should care?

The directive applies to two groups: essential service providers (think water, transport, energy infrastructure) and digital service providers (like online search engines, marketplaces, and cloud computing). To figure out if a company needs to follow the NIS 1 Directive, they have to do something called self-identification, which helps the company decide if it applies to them. But here’s the truth: many online businesses are clueless about whether they need to comply or not. Here’s the deal:‍

If you provide any of these services:

  • cloud computing (IaaS, PaaS, SaaS)
  • online marketplace
  • online search engine

And you fit either of these criteria:

  • more than 50 employees
  • Annual Recurring Revenue (ARR) above EUR 10 million

You have to comply! But don’t worry. We’ll break down what this means in practice for you.

‍How to comply with the NIS 1 Directive?

To comply, digital service providers need to protect their networks and systems. Here are the key areas you should focus on:‍

1. securing your systems and facilities

Implement both physical and technical security measures to minimize any risks (i.e. lock your offices, use a password manager and data backup, etc.)‍.

2. handling incidents like a pro

Know what steps to follow when a breach happens (minimize the incident impact and report the attack to authorities)‍.

3. Having a backup plan to ensure business continuity

Create a backup plan that will keep your systems running in case of any unexpected events or after a disaster already occurred‍.

4. continuous monitoring, auditing and testing

Run regular scans to reveal issues in the security mechanisms. Perform simulated attacks to check the security of your systems‍.

5. compliance with international standards

Be compliant with ISO standards, SOC 2 or any other relevant regulations.‍

Want all the details? Check out the official website of the European Union Agency for Cybersecurity.

Also, there’s a new version of the NIS directive coming soon. It’s been approved by the European Union and will come into effect across all member states next year.

‍What are the penalties?

If a company fails to comply, it could face hefty fines. Each EU member state sets its own penalties, which can go up to £17 million. And importantly, a company can be penalized more than once.

‍Key takeaways:

  • The NIS 1 Directive is here to protect our networks and information systems.
  • It affects two groups: essential service providers and digital service providers.
  • If you’re a digital service provider with either 50+ employees or an ARR above EUR 10 million, compliance is a must.
  • Cloud computing, online marketplaces, and search engines are in the spotlight.
  • Don’t know if you’re in the club? Self-identify or reach out to us and we’ll guide you through the process!

Get your regular dose of legal know-how

Join our monthly newsletter. We’ll explain legal terms in a way your grandma would understand. Subscribe here.