The NIS Directive

Home » Policy Landscape » Cybersecurity » The NIS Directive

A challenge that applies to all stakeholders is to understand the overlap between legislations and consistently apply it throughout the Union. While the GDPR focuses on the rights of the data subjects and the obligations of relevant actors in processing activities, the NIS Directive concerns the national critical infrastructure of Member States and focuses on the main economic sectors.

The first EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems (the ‘NIS Directive’),  entered into force in 2016 after 3 years of negotiations. It marked a step change in cybersecurity as for the first time a common approach to increase the level of security of network and information systems across the Union was established. This law therefore constitutes the primary anchor for the EU cybersecurity architecture.

European harmonisation to protect critical sectors

The first challenge of the NIS Directive is that this is the first complete effort of the European Union to harmonise the cyber-security of critical infrastructure by increasing the common level of security in all Member States.

To date 25 EU Member States have notified full transposition of the Directive (all apart from LU-BE-HU). Prima facie checks have not revealed major gaps in the national transposition. The Directive requires Member States to get equipped with at least a minimum set of capabilities (a national strategy, national competent authority/ies, a national Computer Security Incident Response Team/ CSIRT). It also requires Member States to ensure that operators in critical sectors, as well as digital service providers, take appropriate security measures and notify significant incidents affecting their network and information systems to the national authorities.

In addition, Member States benefit from the work of the two cooperation fora established by the Directive, the NIS Cooperation Group (The Group) and the network of national Computer Security Incident Response Teams (CSIRTs Network).

Challenges in implementing the NIS

As a result of the above, coordination between Member States is vital in order for Member States to be compliant with the NIS Directive. This  requires not only cooperation nationally between the single point of contact of each Member State and the CSIRTs but also among Member States’ governments and enforcement agencies. The cooperation is expected on many levels: firstly, between the CSIRTs, which will create a CSIRTs network to effectively exchange information and support one another, but also between national competent authorities that need to assess the compliance of operations of essential services.

Lastly, the legal instrument utilised by the European Union legislators - a Directive, means that even though it is a legally binding act, it requires each Member State to implement the set of objectives and further specifications in its national legislation. Unavoidably, this represents a further level of difficulty in the harmonisation of a high common level of security of network and information systems across the European Union.

Planting the seeds for a stronger Europe

What is sure is that the NIS Directive planted the seeds for enforcing risk management practices and increasing the capabilities to prevent and react to incidents thanks to a better knowledge basis. The adoption of the NIS Directive has been received as a major improvement by a wide variety of stakeholders and will have to be reviewed at the latest in 2021. At the present stage, it can be argued that the resilience of the EU critical infrastructures will continue to be an important area of work and that some areas for improvement can already be identified



Cyber Security is a Shared Responsibility!

European Cyber Security Month (ECSM) is the EU's annual awareness campaign that takes place each October across Europe. The aim is o raise awareness of cyber security threats, promote cyber security among citizens and organization; and provide resources to protect themselves online, through education and sharing of good practices.

Future Events

On 25 September 2019 (09:30-10:30) in Room Walton, a strategic planning co-design session (CD) titled "Security research: Ensuring security and privacy in a digitising world [CD]" will be held on the European Research and Innovation Days, the first annual policy event of the European Commission, bringing together stakeholders to debate and shape the future research and innovation landscape, will happened on 24-26 September 2019 in Brussels (BE).

24/09/2019 to 26/09/2019

MyData 2019 will be organised on 25-27 September 2019 in Wanha Satama in central Helsinki, as an associated event of Finland’s EU Presidency. The conference provides 2+1 days of interactive sessions, networking opportunities and inspirations that shall contribute to rebuilding trust and creating a more transparent and prosperous digital society.

25/09/2019 to 27/09/2019