Today’s economy, and by this, citizens of the EU, depend on reliable network and information services. Despite a wide selection of technical protection measures being available, attacks on NIS are on the rise in number and impact. The EU’s response under its Cybersecurity Strategy has been the NIS Directive as a legal instrument aiming to ensure that critical IT systems in central sectors of the economy are secure. The analysis whether and how the legal requirements under the new framework match software requirements and vice versa, calls for a joint effort of legal and technical experts. The abstract notions of the NIS Directive requirements are in need of clarification so that compliant products can to be derived and developers can be equipped with guidelines how to meet the legal requirements with the currently available technologies. However, technology and the law evolve with different speeds hence these interpretations and guidelines need to be dynamic. Objective of EnCaViBS is the creation of a living commentary to the NIS Directive that is accompanied with a methodology to select the appropriate technological and organisational measures for NIS Directive compliant IT products.