The EU’s Network and Information Security (NIS) Directive is a means of forwarding the European Union’s cyber security strategy. As it is a directive, rather than a regulation, member states will have to meet its demands by passing their own domestic laws.

The Network and Information Security Directive targets critical national infrastructure – or operators in energy, transport, health, and banking – and requires them to report cyber security breaches almost as soon as they are discovered or else risk regulatory fines and other sanctions from national authorities who will be given powers to enforce the rules.

But there are calls for this to be taken further, and for all companies to mandatory report any breaches when they’ve been attacked and to share details about how it was done. Creating a mandatory anonymised database of cyber attacks might help strengthen cyber defences for everyone. Under reporting of cyber attacks contributes to an incomplete understanding of the magnitude of the threat. It means we are relying on anecdotal information to determine effective defences against cyber threats. This data would be useful in a number of different ways, the Director general of the Association of British Insurers (ABI), Huw Evans, has called for a to help insurers develop accurate business models.