The Directive on security of network and information systems (Directive (EU) 2016/1148), commonly called the NIS Directive, was adopted by the European Parliament and Council on 6 July 2016 and was the first piece of EU-wide cybersecurity legislation. Member states had until 9 May 2018 to transpose it into national law.
The directive pursued three core objectives:
- National capability: each member state had to adopt a national cybersecurity strategy, designate one or more competent authorities, and establish a Computer Security Incident Response Team (CSIRT).
- Cross-border cooperation: it created the Cooperation Group (of member state representatives, the Commission, and ENISA) and the CSIRTs Network to share information and coordinate responses.
- Sectoral obligations: Operators of Essential Services (OES) in energy, transport, banking, financial market infrastructure, health, drinking water, and digital infrastructure, plus certain Digital Service Providers (DSPs) such as cloud services, online marketplaces, and search engines, were required to manage cyber risks and notify significant incidents to national authorities.
Implementation was uneven. Member states applied different thresholds for designating OES, transposition was slow in several countries, and the DSP regime used a lighter-touch approach than the OES regime. A 2020 Commission review concluded that the scope was too narrow and enforcement too inconsistent.
This led to the NIS 2 Directive (Directive (EU) 2022/2555), adopted 14 December 2022, which repealed and replaced the original NIS Directive with effect from 18 October 2024. NIS 2 substantially expanded sectoral coverage (adding, for example, public administration, space, postal services, waste management, and managed service providers), introduced size-based scoping, harmonised incident reporting timelines, and strengthened supervisory and penalty regimes, including potential personal liability for management bodies.
The NIS framework sits alongside other EU cyber instruments such as the Cybersecurity Act (2019), DORA for finance, and the Cyber Resilience Act.
Example
In 2018, Germany transposed the NIS Directive through the IT Security Act framework, designating operators in sectors such as energy and health as Operators of Essential Services subject to BSI oversight.
Frequently asked questions
No. It was repealed by NIS 2 (Directive (EU) 2022/2555) with effect from 18 October 2024, the deadline for member states to apply the new national measures.
Keep learning