The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

The Directive on security of network and information systems (the NIS Directive) was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States had to transpose the Directive into their national laws by 9 May 2018 and identify operators of essential services by 9 November 2018.

The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:

  • Member States' preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority,
  • cooperation among all the Member States, by setting up a Cooperation Group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks,
  • a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the new Directive.

A "NIS Toolkit"

As the cybersecurity threat landscape is evolving fast, it is necessary to swiftly implement the Directive. In view of the impending deadlines for its transposition into national legislation (by 9 May 2018), and for the identification of operators of essential services (by 9 November 2018), the Commission adopted on 13 September 2017 a Communication that aims at supporting Member States in their efforts to implement the Directive swiftly and coherently across the EU.

The "NIS toolkit" provides practical information to Member States, e.g. by presenting best practices from the Member States and by providing explanation and interpretation of specific provisions of the Directive to clarify how it should work in practice.

Report assessing the consistency of the approaches in the identification of operators of essential services

Under Directive (EU) 2016/1148 on Security of Network and Information Systems (the “NIS Directive”), identified operators of essential services will have to take appropriate security measures and to notify serious cyber incidents to the relevant national authority. This report provides an overview of how Member States have identified operators of essential services. It assesses whether the methodologies for identifying such operators are consistent across Member States.

Review of the Directive

Article 23 of the Directive requires the European Commission to review the functioning of this Directive periodically. As part of its key policy objective to make “Europe fit for the digital age” as well as in line with the objectives of the Security Union, the Commission announced in its Work Programme 2020 that it would conduct the review by the end of 2020. 

As part of this process, a consultation opened on 7 July 2020, with as deadline 2 October 2020. The results of this consultation were used for the evaluation and impact assessment of the NIS Directive.

Proposal for a revised NIS Directive (NIS2)

As a result of the review process, the new legislative proposal has been presented on 16 December 2020. 

This proposal is part of a package of measures to improve further the resilience and incident response capacities of public and private entities, competent authorities and the Union as a whole in the field of cybersecurity and critical infrastructure protection. It is in line with the Commission’s priorities to make Europe fit for the digital age and to build a future-ready economy that works for the people.

The proposal builds on and repeals the current NIS Directive. It modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape.

Proposal for a revised Directive on Security of Network and Information Systems is accompanied by an impact assessment, which was submitted to the Regulatory Scrutiny Board (RSB) on 23 October 2020 and received a positive opinion with comments by the RSB on 20 November 2020.