As we’ve seen from recent cyberattacks such as WannaCry and NotPetya — which are generally attributed to North Korea and Russia respectively — attacks on critical infrastructure can have a devastating impact on industrial production and hence on quarterly profits, with global estimated losses in the billions of dollars.

Additionally, targeted cyberattacks like TRITON that compromise large-scale cyber-physical systems — such as petrochemical mixing tanks, turbines, and blast furnaces — can cause catastrophic safety failures, environmental damage, and even loss of human life. (TRITON is generally attributed to Iran.)

The growing number and sophistication of malicious cyberattacks on critical infrastructure have led European Union (EU) legislators to adopt the Network and Information Security (NIS) Directive (NISD). The new directive requires companies from critical infrastructure sectors to adopt specific technical and organizational measures to manage threats to their networks and information systems.

While the EU’s General Data Protection Regulation (GDPR) is a privacy directive focused on organizations that collect personal data, the NIS Directive is focused on strengthening resilience for providers of critical infrastructure services. In particular, NISD applies to organizations that provide “essential services” in critical infrastructure sectors such as energy, transport, banking & financial, water, health sector, and digital infrastructure (ISPs, DNS providers, etc.).

EU member states had to incorporate the Directive into their national laws by May 9 of this year — a couple of…