Two-thirds of large UK companies have come under cyber attack in the past year, according to the UK Government, and a quarter have been attacked at least once a month. But only half have taken any recommended actions to address their vulnerabilities, only a third have formal cyber security policies and under 10 per cent have an incident management plan. EU Governments have now decided to legislate against such complacency: the Network and Information Security Directive, agreed by the EU Ministers on 17 May 2016, will impose mandatory requirements on firms in key sectors to protect their systems from such attacks and to notify national authorities if they occur. Companies subject to these regulations should be proactive about developing plans for compliance.