While compliance with the GDPR occupied the headlines, the deadline for E.U. Member States to transpose the Network and Information Security (NIS) Directive into national law came and went in relative quiet on May 9, 2018. Under the NIS Directive, operators of essential services and digital service providers are required to establish cybersecurity measures and report serious cyber incidents to the relevant national authority. “If any system is connected to the internet it is virtually impossible to protect it entirely from cyber attacks,” Robert Litt, of counsel at Morrison Foerster and former General Counsel for the Director of National Intelligence, told the Cybersecurity Law Report. “But the procedures that the NIS Directive requires, if enforced by Member States, should help to minimize and mitigate the attacks that do occur.” See also “Beyond GDPR: The E.U.’s Expanding Cybersecurity Regime” (Jun. 6, 2018).