The Network and Information Security Directive (commonly the NIS Directive) was the European Union's first bloc-wide cybersecurity law. Adopted as Directive (EU) 2016/1148, it entered into force in August 2016, with member states required to transpose it into national law by May 2018. Its goal was to raise the overall level of cybersecurity across the EU by imposing obligations on operators in sectors deemed critical to the economy and society.
The original directive applied to two main groups. Operators of essential services (OES) included entities in energy, transport, banking, financial market infrastructures, health, drinking water supply, and digital infrastructure. Digital service providers (DSPs) covered online marketplaces, search engines, and cloud computing services. Both groups had to take appropriate technical and organisational measures to manage risks to their networks and information systems, and to notify national authorities of incidents with significant impact.
The directive also required each member state to:
- adopt a national NIS strategy;
- designate one or more competent authorities and a national single point of contact;
- establish Computer Security Incident Response Teams (CSIRTs);
- participate in a Cooperation Group and a CSIRTs network at EU level to share information and coordinate responses.
Because transposition varied widely and the original scope excluded sectors such as public administration, food, and waste management, the EU revised the framework. Directive (EU) 2022/2555, known as NIS2, repealed the original directive and broadened both the sectoral scope and the supervisory and sanctioning regime. NIS2 entered into force in January 2023, with a transposition deadline of 17 October 2024. It distinguishes between "essential" and "important" entities, tightens incident-reporting timelines, and introduces management accountability and harmonised penalties.
For delegates and researchers, the NIS Directive is a key reference point for how regional organisations translate cybersecurity from a national-security concern into binding regulatory obligations on private operators.
Example
In 2018, Germany transposed the NIS Directive through amendments to its BSI Act, designating the Federal Office for Information Security (BSI) as the competent authority for operators of essential services.
Frequently asked questions
NIS2 (Directive (EU) 2022/2555) repeals and replaces the original 2016 directive. It expands sectoral coverage, replaces the OES/DSP distinction with 'essential' and 'important' entities, tightens incident reporting, and introduces harmonised penalties and management liability.
Keep learning