As part of the EU Cybersecurity strategy the European Commission proposed the EU Network and Information Security directive. The NIS Directive (see EU 2016/1148) is the first piece of EU-wide cybersecurity legislation. The goal is to enhance cybersecurity across the EU. The NIS directive was adopted in 2016 and subsequently, because it is an EU directive, every EU member state has started to adopt national legislation, which follows or ‘transposes’ the directive. EU directives give EU countries some level of flexibility to take into account national circumstances, for example to re-use existing organizational structures or to align with existing national legislation. The deadline for national transposition by the EU member states is 9 May 2018.
The NIS Directive has three parts:
1. National capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g. they must have a national CSIRT, perform cyber exercises, etc.
2. Cross-border collaboration: Cross-border collaboration between EU countries, e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.
3. National supervision of critical sectors: EU Member states have to supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, and finance sector), ex-post supervision for critical digital service providers (internet exchange points, domain name systems, etc).
NIS cooperation group
The NIS cooperation group is the strategic cooperation group, where the EU member states cooperate, exchange information, and agree on how to implement the NIS directive consistently across the EU. The NIS cooperation group also gives strategic direction to the underlying EU CSIRT network. The members of the NIS cooperation group are representatives of relevant national ministries and national cybersecurity agencies.
ENISA assists the Cooperation Group in its tasks by:
For example ENISA has developed, together with the EU member states, three guidelines
For more information please read the full text of the Directive (EU) 2016/1148.
Other ENISA activities under the NIS directive
ENISA has been active in a number of these areas. We link to the relevant topics:
More information about the directive
More information about the directive can be found in the Commission’s factsheet about the NIS directive
At the start of 2017 the Commission published a broader overview in an updated factsheet about EU cybersecurity policy initiatives.
In September 2017 the Commission proposed new cybersecurity policy initiatives, including a recommendation for EU Member States to develop a Cybersecurity framework for the exchange of cybersecurity information, a proposal for an EU-wide Cybersecurity certification framework, and a proposal for a stronger mandate for ENISA, so that it can become a true EU Cybersecurity agency.