As part of the EU Cybersecurity strategy the European Commission proposed the EU Network and Information Security directive. The NIS Directive (see EU 2016/1148) is the first piece of EU-wide cybersecurity legislation. The goal is to enhance cybersecurity across the EU. The NIS directive was adopted in 2016 and subsequently, because it is an EU directive, every EU member state has started to adopt national legislation, which follows or ‘transposes’ the directive. EU directives give EU countries some level of flexibility to take into account national circumstances, for example to re-use existing organizational structures or to align with existing national legislation. The national transposition by the EU member states happened on 9 May 2018.

The NIS Directive has three parts:

1. National capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g. they must have a national CSIRT, perform cyber exercises, etc.

2. Cross-border collaboration: Cross-border collaboration between EU countries, e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.

3. National supervision of critical sectors: EU Member states have to supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector), ex-post supervision for critical digital service providers (online market places, cloud and online search engines)

The European Commission maintains a map showing the status of the transposition of the NIS Directive across the EU Member States.

NIS directive

NIS cooperation group

The NIS cooperation group is the strategic cooperation group, where the EU member states cooperate, exchange information, and agree on how to implement the NIS directive consistently across the EU. The NIS cooperation group also gives strategic direction to the underlying EU CSIRT network. The members of the NIS cooperation group are representatives of relevant national ministries and national cybersecurity agencies.

ENISA assists the Cooperation Group in its tasks by:

  • Identifying good practices in the Member States regarding the implementation of the NIS directive
  • Supporting the EU-wide cybersecurity incident reporting process, by developing thresholds,  templates and tools
  • Agreeing on common approaches and procedures
  • Helping Member States to address common cybersecurity issues

The guidelines and reference documents  of the NIS Cooperation Group for the Member States are published here.

For example ENISA has developed, together with the EU member states, three guidelines

For more information please read the full text of the Directive (EU) 2016/1148.

Other ENISA activities under the NIS directive

ENISA has been active in a number of these areas. We link to the relevant topics:

More information about the directive

More information about the directive can be found in the Commission’s factsheet about the NIS directive

At the start of 2017 the Commission published a broader overview in an updated factsheet about EU cybersecurity policy initiatives

In September 2017 the Commission proposed new cybersecurity policy initiatives, including a recommendation for EU Member States to develop a Cybersecurity framework for the exchange of cybersecurity information, a proposal for an EU-wide Cybersecurity certification framework, and a proposal for a stronger mandate for ENISA, so that it can become a true EU Cybersecurity agency.

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information