The NIS Directive and its challenges

Home » Policy Landscape » Cybersecurity » The NIS Directive and its challenges

a. Political challenges
The first EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems (the ‘NIS Directive’), which entered into force in 2016 after 3 years of negotiations, marked a step change in cybersecurity as for the first time it was established a common approach to increase the level of security of network and information systems across the Union. This law therefore constitutes the primary anchor for the EU cybersecurity architecture.

To date 25 EU Member States have notified full transposition of the Directive (all apart from LU-BE-HU). Prima facie checks have not revealed major gaps in the national transposition. The Directive requires Member States to get equipped with at least a minimum set of
capabilities (a national strategy, national competent authority/ies, a national Computer Security Incident Response Team/ CSIRT). It also requires Member States to ensure that operators in critical sectors, as well as digital service providers, take appropriate security
measures and notify significant incidents affecting their network and information systems to the national authorities. The NIS Directive planted the seeds for enforcing risk management practices and increasing the capabilities to prevent and react to incidents thanks to a better knowledge basis.

In addition, Member States benefit from the work of the two cooperation fora established by the Directive, the NIS Cooperation Group (The Group) and the network of national Computer Security Incident Response Teams (CSIRTs Network).
While the adoption of the NIS Directive has been received as a major improvement by a wide variety of stakeholders, this being the first legislation in the field it faced lots of resistance during the negotiations.
The NIS Directive will have to be reviewed at the latest in 2021. At the present stage, it can be argued that the resilience of the EU critical infrastructures will continue to be an important area of work and that some areas for improvement can already be identified (see below).

b. Ongoing / open files
The Commission is monitoring the national transposition of the Directive. DG CNECT is currently conducting in-depth compliance checks involving an article-by-article analysis of the transposition in each Member State. As part of the in-depth analysis, the Commission will visit Member States and conduct checks by liaising with the relevant ministries/authorities and stakeholders. As this is the first ever horizontal cybersecurity legislation in Europe it is essential that we make major effort in making sure that the adoption of national transposition measures produces real effect on the ground.

Moreover, by 9th November 2018, Member States had to identify their Operators of Essential Services (OES) and communicate that to the European Commission.
The Cooperation Group – made of national competent authorities, the Commission and ENISA – and the CSIRTs Network – composed of national CSIRTs, ENISA and CERT-EU – are meeting regularly and issuing important deliverables.


Electronic communication networks and interconnected digital services have become ubiquitous as they have permeated every fold of everyday life. At a time when automated profiling and electronic surveillance have become commodities, citizens and businesses alike may face limitations and threats when they have personal data processed or seek to protect their privacy on the internet or when using general communication services. Limitations in the transparency, the functionality and interconnectivity of online and communication services increases the risk of having personal data processed out of control of any accountable person or organization or simply becoming exposed to all sorts of privacy threats.

Future Events

The CYBERSEC2019 will be held on 29-30 October 2019 in Katowice, Poland. This is a public policy conference dedicated to strategic security aspects of the global technology revolution and a thriving inter-national community that combines the knowledge and experience of experts and professionals.

29/10/2019 to 30/10/2019

Cyber Security Summit is the UK’s largest one-day event dedicated to cross-sector learning for cyber preparedness across government, the public sector, critical national infrastructure and industry. Connecting 2,000 senior-level business, security, technology and data leaders – this event provides a unique platform to debate national leadership priorities and share best practice solutions to achieve cyber resilience in a fast-moving digital world.