NIS Directive and NIS 2
The NIS Directive (adopted 6 July 2016) was the first EU-wide cybersecurity law. It boosts national capabilities (each state sets up a CSIRT and a national NIS authority), builds EU-level cooperation, and promotes risk management/incident reporting by operators of essential services (OES) and digital service providers (DSPs). Transposition was due by 9 May 2018. A proposed NIS 2 Directive (Dec 2020) widens scope and raises fines.
The NIS Directive is the first piece of EU-wide cybersecurity legislation, adopted 6 July 2016 and in force from August 2016. Member states had to transpose it by 9 May 2018 and identify operators of essential services by 9 November 2018.
- National capabilities: each state sets up a CSIRT and a competent national NIS authority
- EU cooperation: a cooperation group and a CSIRT network for sharing risk information
- Risk management & reporting: by OES (energy, transport, water, banking, financial market infrastructure, health, digital infrastructure) and DSPs (search engines, cloud, online marketplaces)
| Aspect | NIS Directive | NIS 2 (proposed) |
|---|---|---|
| Adopted/proposed | 6 July 2016 | 16 December 2020 |
| Scope | OES + DSPs | Widened to more sectors |
| Security & reporting | Baseline rules | Strengthened |
| Fines | Set nationally | Increased maximum fines |
| Transposition | By 9 May 2018 | 18 months after final publication |
The NIS Directive is the first EU-wide cybersecurity legislation. Each member state identifies the companies it covers and the exact form it takes - another source of national variation.