Skip to main content
Shaping Europe’s digital future logo

NIS Directive

The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.

© iStock by Getty Images -1169999045 aismagilov

The Directive on security of network and information systems (the NIS Directive) provides legal measures to boost the overall level of cybersecurity in the EU by ensuring:

  • Member States' preparedness, by requiring them to be appropriately equipped. For example, with a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority,
  • cooperation among all the Member States, by setting up a Cooperation Group to support and facilitate strategic cooperation and the exchange of information among Member States. 
  • a culture of security across sectors that are vital for our economy and society and that rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the new Directive.

A 'NIS Toolkit'

As the cybersecurity threat landscape evolves at a fast pace, it was necessary to implement the NIS Directive quickly. The Commission adopted a Communication to support Member States in their efforts to implement the Directive

The Communication, dubbed the 'NIS toolkit', provides practical information to Member States on the Directive. For example, it presents best practices on implementing the Directive from other Member States, with explanation and interpretation of specific provisions to clarify how the NIS Directive should work in practice.

Report assessing the consistency of the approaches in the identification of operators of essential services

Operators of essential services are responsible for notifying national authorities of serious cyber incidents. This report provides an overview of how Member States have identified operators of essential services. It assesses whether the methodologies for identifying such operators are consistent across Member States.

Review of the Directive

Article 23 of the Directive requires the European Commission to review the functioning of this Directive periodically. As part of its key policy objective to make Europe fit for the digital age as well as in line with the objectives of the Security Union, the Commission announced in its 2020 work programme that it would conduct the review by the end of 2020. 

As part of this process, a consultation opened on 7 July 2020, with as deadline 2 October 2020. The results of this consultation were used for the evaluation and impact assessment of the NIS Directive.

Proposal for a revised NIS Directive (NIS2)

As a result of the review process, the new legislative proposal was presented on 16 December 2020. 

The proposal is part of a package of measures to further improve the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole. It covers the field of cybersecurity and critical infrastructure protection. The proposal is in line with the Commission’s priorities to make Europe fit for the digital age and to build an economy ready for a future that works for the people.

The proposal builds on and repeals the current NIS Directive. It modernises the existing legal framework taking account of the increased digitisation of the internal market in recent years and an evolving cybersecurity threat landscape.

The proposal for a revised Directive on security of network and information systems was accompanied by an impact assessment, which was submitted to the Regulatory Scrutiny Board (RSB) on 23 October 2020 and received a positive opinion with comments by the RSB on 20 November 2020.


The European Cybersecurity Competence Centre and Network is now ready to take off

The regulation establishing a new Cybersecurity Competence Centre and a Network of National Coordination Centres has entered into force this week. The Cybersecurity Competence Centre, which will be located in Bucharest, will contribute to strengthening European cybersecurity capacities and to boosting research excellence and the competitiveness of the Union's industry in the cybersecurity field.

EU Cybersecurity: Commission proposes a Joint Cyber Unit to step up response to large-scale security incidents

The Commission has laid out a vision to build a new Joint Cyber Unit to tackle the rising number of serious cyber incidents impacting public services, as well as the life of businesses and citizens across the European Union. Advanced and coordinated responses in the field of cybersecurity have become increasingly necessary, as cyberattacks grow in number, scale and consequences, impacting heavily our security. All relevant actors in the EU need to be prepared to respond collectively and exchange relevant information on a ‘need to share', rather than only ‘need to know', basis.

Commission to invest €14.7 billion from Horizon Europe for a healthier, greener and more digital Europe

The Commission has adopted the main work programme of Horizon Europe for the period 2021-2022, which outlines the objectives and specific topic areas that will receive a total of €14.7 billion in funding. These investments will help accelerate the green and digital transitions and will contribute to sustainable recovery from the coronavirus pandemic and to EU resilience against future crises. They will support European researchers through fellowships, training and exchanges, build more connected and efficient European innovation ecosystems and create world-class research infrastructures

Security Union: EU rules on removing terrorist content online enter into force

Landmark EU rules on addressing the dissemination of terrorist content online entered into force this week. Platforms will have to remove terrorist content referred by Member States' authorities within 1 hour. The rules will also help to counter the spread of extremist ideologies online - a vital part of preventing attacks and addressing radicalisation.

Related Content

Big Picture

Cybersecurity Policies

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

Dig deeper

NIS Cooperation Group

The Network and Information Systems Cooperation Group was established by the NIS Directive to ensure cooperation and information exchange among Member States.

See Also

European Cybersecurity Competence Centre and Network

The European Cybersecurity Competence Centre (ECCC) aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres (NCCs) to build a strong cybersecurity Community.

The EU Cybersecurity Act

The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.