CIPP/E Study Guide
Ch 10.6 - NIS Directive

The NIS Directive (and NIS 2)

The NIS Directive (Cybersecurity Directive) advances EU cybersecurity; it is not about personal data as such but complements the GDPR. It has three focuses: national cyber strategies and structures (including CSIRTs); raising security of operators of essential services and digital service providers; and cross-border cooperation (the NIS Cooperation Group). Essential services (Annex II): energy, water, transport, health, banking, digital infrastructure. Digital service providers (Annex III): online marketplaces, search engines, cloud services (eBay, Google, Amazon). Incidents are notified to CSIRTs/regulators without undue delay. NIS 2 (proposed 2020) widens scope and adds penalties of up to €10 million or 2% of turnover.

The NIS Directive advances the EU's cybersecurity agenda first legislated in 2009. It is not concerned with personal data security as such, but it complements the GDPR and indirectly bolsters the security of personal data held by regulated organisations.

  1. Compel national cybersecurity strategies and structures - establishing national CSIRTs, appointing cybersecurity regulators, and identifying operators of essential services
  2. Improve security of operators of essential services and digital service providers via member-state laws setting security and incident-notification requirements
  3. Enhance cooperation between member states via the NIS Cooperation Group coordinating the CSIRTs and developing best practice
Essential services vs digital service providers
CategoryExamples / sectorsEnforcement model
Operators of essential services (Annex II)Energy, water, transport, health, banking, digital infrastructureRegulators can step in ex ante (before being alerted) as well as ex post
Digital service providers (Annex III)Online marketplaces, search engines, cloud computing (e.g. eBay, Google, Amazon)Regulators can step in only ex post (after being alerted to a breach)

Security/notification duties: take appropriate, proportionate technical and organisational measures with regard to the state of the art; prevent and minimise incident impacts to maintain continuity; and notify CSIRTs/regulators of incidents with a significant impact without undue delay. Member states set their own penalties (effective, proportionate, dissuasive). NIS 2 (proposed December 2020) would widen scope (postal/courier, waste, food supply, critical manufacturing), add prescriptive risk-management rules, EU-coordinated risk assessments, ICT certifications, and harmonised penalties of up to €10 million or 2% of annual worldwide turnover.

Ex ante vs ex post

Regulators may act ex ante (before being alerted) for operators of essential services, but only ex post (after being alerted) for digital service providers. A neat distinction to remember.

Key terms - quick answers

What is “NIS Directive”?
The Directive on security of network and information systems (also 'Cybersecurity Directive'); advances EU cybersecurity and complements the GDPR.
What is “CSIRT”?
Computer Security Incident Response Team - national teams established under the NIS Directive to handle cyber incidents.
What is “Operators of essential services”?
Entities (Annex II) in energy, water, transport, health, banking and digital infrastructure whose disruption would significantly affect critical activities.
What is “Digital service providers”?
Online marketplaces, online search engines and cloud computing services (Annex III) - e.g. eBay, Google, Amazon.