News Item

Security requirements for operators of essential services and digital service providers

The EU Agency for Cybersecurity publishes a new report assessing security requirements.

Published on March 19, 2020

Operators of essential services and digital service providers are facing new legal obligations. Security measures are now legally binding. Two legislative acts set the requirements. Both acts entered into force in 2018. They are:

  • The Network and Information Security Directive (NISD)
  • The General Data Protection Regulation (GDPR).

The focus of each act is different. ENISA has already published documents with good practices for these two acts. Therefore, the purpose of the Report - Stock Taking of security requirements set by different legal frameworks on OES and DSPs is to present a mapping of already identified security objectives in the NISD as well as in the GDPR with ENISA good practice guides.

Report Objectives

  • To advise operators of essential services as well as digital service providers in their process of identifying appropriate security measures based on the provisions of both legislative acts.

Report Content

  • Information and guidance in reports already issued by ENISA;
  • A mapping of already identified security objectives, as defined in both NISD and GDPR.

Target Audience

  • Operators of essential services;
  • Digital Service Providers;
  • NIS Competent Bodies;
  • Data Protection Authorities.

Key recommendations

  • NIS Competent Bodies and Data Protection Authorities to address:
    • A process inclusive of both NIS and GDPR risk management frameworks;
    • Sector specific approaches considering the specific needs for information security as well as for data protection;
    • A cooperation method to improve consistency, under the leadership of the European Commission.
    • Certification in the context of the two acts, together with the EU agency for Cybersecurity and the European Commission.
  • The European Scientific Community together with the EU Agency for Cybersecurity to continue providing specialised guidance on data protection and security techniques.


Further information

ENISA Report - Stock taking of security requirements set by different legal frameworks on OES and DSPs

Further queries: please contact


Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:


We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information