What is an Electronic Information System?

An Electronic Information System (EIS) is a complex structure composed of technical and human elements, designed for the collection, processing, storage, transmission, or management of digital data. The term plays a central role in the fields of information security and cybersecurity, particularly in the context of regulations such as the NIS2 Directive or ISO 27001.

An EIS includes not only hardware and software components but also the people who operate or access the system—users whose actions directly impact its security and operation.

Technical components of an EIS

An electronic information system typically comprises three main technical pillars:

Electronic communication networks: These include any infrastructure used for data transmission—such as the internet, fixed and mobile networks, or internal corporate networks (e.g., LAN, VPN).

Digital devices and systems: Computers, servers, smart devices, industrial control systems, and sensors—all hardware that handles data automatically according to pre-programmed logic.

Digitally managed data: The information created, processed, stored, or transmitted by the system, which may include structured data (e.g. databases) or unstructured data (e.g. documents, emails).

The user as a risk factor and security element

Although EIS is primarily defined in technical terms, modern information security frameworks—such as NIS2—consider the human element a core component. Users, administrators, operators, and third-party service providers can all represent potential vulnerabilities. Therefore:

• Security measures must cover access rights, identity verification, and activity logging.
• Continuous user training and awareness programs are essential for maintaining system security.
• Human error, negligence, or malicious activity should be considered from the outset of security planning.

Why the definition of EIS matters in the context of NIS2

The NIS2 Directive, applicable from 2023, aims to strengthen cybersecurity resilience across the EU. To achieve this, clear definitions, protection, and monitoring of electronic information systems are crucial. Organizations covered by NIS2—such as utility providers, financial institutions, healthcare operators, and transport companies—are required to implement risk-based security measures for all systems handling critical information.

In this context, EIS is treated as a regulated entity. For example:

• An industrial control system used by a logistics company, along with its associated data network, qualifies as an EIS.
• A cloud-based CRM platform that stores and transmits sensitive data is also considered an EIS.

EIS: More than a technical issue

The concept of an electronic information system has expanded far beyond the traditional “IT system” definition. For organizations operating in the digital space, an EIS is a complex infrastructure with technological, organizational, regulatory, and human dimensions.

As such, organizations should regularly review and document all EIS-related risks, responsibilities, and protective measures.

Official definition

An electronic information system is a set of systems—including communication networks, IT tools, and the data they manage—capable of automatic data processing and exchange. According to information security regulations, users who operate or access the system are also considered part of it.

Back to the glossary