Operators of Essential Services
and the NIS Directive

Helping you navigate NISD
compliance with ease

Get expert assistance with cost-effective implementation
and maintenance of your NISD compliance.

We model the mandatory NISD regulatory requirements against the controls that you already have in place,
making compliance as simple, cost-effective, sustainable and hassle-free as possible.

About NIS

What is the NIS Directive?

The Network Information Systems Directive (NISD) establishes a baseline level of security requirements for network and information systems to ensure the continuity of essential services. It was adopted as UK law and implemented on the 10th May 2018.

What are the risks of non-compliance?

The risks of non-compliance can be both financial and reputational:

In the UK, non-compliant organisations may be fined up to £17 million. The potential penalty may vary between sectors and be assessed by the Competent Authority to each assigned Operator of Essential Services.

The reputational risks associated with any operational disruption—due to full or partial non-compliance—could be significant.

The risk of collective ‘Class A’ legal action from users affected by service disruption is likely to grow; matching the comparable growth from GDPR legislation.

For organisations approaching NISD thresholds, last minute or hasty implementation of NISD-compliant controls could be expensive, unnecessarily disruptive and more likely to be implemented in a manner that creates unnecessary operational inhibitors.

What security objectives need to be implemented?

Current information security objectives defined by NCSC that need to be met by Operators of Essential Services:

Managing security risk

Appropriate organisation structures, policies, and processes are in place to understand, assess and systematically manage security risks

Protecting against cyber attack

Proportionate security measures are in place to protect services and systems from cyber attack

Detecting cyber security events

Capabilities to ensure security defences remain effective and to detect cyber security

Minimising the impact of cyber security incidents

Capabilities to minimise the impact of a cyber security incident and restoration of services, including notification of any incidents to the relevant Competent Authority

NISD doesn’t require reinvention of your current security systems.

Identify which of these objectives are already being met through, apply the relevant
NISD principles and controls, adjust and close any remaining gaps.

Do not believe that an NISD Compliance Framework must be a separate process.

Who does the NIS Directive apply to?

Who does the NIS Directive apply to?

Initially, it applies to those Operators of Essential Services, listed below, whose services are increasingly dependent upon critical technologies. If these technologies are disrupted, then public services will suffer as a result. There is a different operational capacity threshold for each sector – organisations above this threshold must adhere to NISD principles and it is recommended that operators below the threshold should also aim for compliance.

It is important to note that affected sectors may be widened, and/or the current thresholds may be adjusted in the NCSC’s first review of the criteria in 2021.







Digital infrastructure

How we help you reach NISD compliance

How we help you reach NISD compliance

A Maturity Model will clearly identify any existing non-conformities in your NISD compliance against the measures set by the respective Competent Authority. PGI will then work with you to close the gaps with as little operational impact as possible.

Maturity Modelling

Our consultants work on-site with your team to review how your existing current security posture and controls align to the principles outlined in the Cyber Assessment Framework developed by each Sector’s competent authority.

From this assessment, our consultants produce a report that depicts, verbally and graphically, the areas where compliance already exists and those areas where it doesn’t (including the measurable shortfall to non-compliance).

We will recommend measures needed to close the gaps. This will help your organisation to clearly prioritise investment to achieve overall compliance.


Once your NISD maturity levels have been identified and a compliance road map has been set, our consultants can either support your business to achieve compliance or where a client wishes to implement them using internal resources simply return to do a subsequent model.

Because the scope of your implementation plan is based on your current security posture, you will only be spending time, resource and money on the controls that need adjusting or re-evaluating for NISD purposes.

Importantly, implementing the NIS regulatory requirements correctly should not disrupt your operations.

Product and pricing

At the heart of addressing the demands of NIS Directive, we believe many of the controls you have in place will already form the foundation of your organisation’s compliance. Our consultants will undertake an in-depth review to identify the remaining gaps and provide a road map for achieving full compliance; where necessary working in partnership with you to implement all requirements.

Services Inclusive Price

Maturity Model


   Onsite analysis and review by experienced practitioners

   Detailed report findings and remediation activities

   High level executive overview
Enquire to find out more

Why choose PGI’s Maturity Modelling services?

Every business is different. Different size, scope, complexity, structure, sector and level of security needed that is appropriate to your level of risk.

We take a bespoke approach to our Maturity Modelling, specifically aligning it to your respective sector’s NISD Assessment Framework. We will gain a full understanding of all aspects of the business we are working with and what you already have in place. This allows us to recommend the most pragmatic and cost-effective route to achieving compliance.

It doesn’t have to be complicated, nor operationally disruptive.

Since 2013, we have successfully supported large critical service providers within transport, energy, health, water and digital infrastructure to identify and implement practical, cost effective information and cyber security solutions.

Register anchor

Products & Resources

Training anchor

The Community of Interest Network

The NIS Directive Community of Interest Network (COIN) is a platform to enable Operators of Essential Services to share knowledge and best practice.


We recommend the below articles for further reading:

Register anchor

Want to purchase or need more information? Why not speak to one of our experts.

Choose a day and time and one of our team will be in touch.
Alternatively, call us on +44 (0)207 887 2699 or email us at clientservices@pgitl.com

+44 (0)207 887 2699
©2019 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Address: Unit 13/14, Swallow Court, Sampford Peverell, Tiverton, England, EX16 7EJ