The new EU Directive 2016/1148 on Security of Network and Information Systems aims to implement a minimum level of network and information security (NIS) in Member States. An obligation to manage security risks and to report serious cyber incidents will be imposed in the coming months on certain entities, such as search engines or cloud computing service providers, social networks, public authorities, online payment platforms such as PayPal, and leading e-shops like Amazon.