04 Jul 2022

Study to support the review of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive)

Lorenzo Pupillo / Carolina Polito

Download Publication


Cybersecurity resilience is a key priority for the protection of critical infrastructure in the European Union, where network and information systems are particularly fragile due to the fragmented nature of national strategies and capabilities.

Against this background, the Commission decided to intervene with the creation of an effective European mechanism to foster collaboration and the sharing of information on network and information security risks, and incidents, secure cross-border services and systems and avoid harmful consequences and reduced trust from businesses and citizens.

Thus, after three years of negotiations, the European Parliament and the Council adopted Directive (EU) 2016/11481 (NIS Directive) to strengthen the protection offered by the existing EU and national legislation. The NIS Directive is the first horizontal internal market instrument aimed at improving the cybersecurity resilience of the European Union. Adopted in July 2016 and required to be transposed into law by the Member States by 9 May 2018, the NIS Directive aimed to ensure the continuity of essential services allowing the European Union’s economy and society to function properly by building cybersecurity capabilities across the EU and mitigating growing threats to network and information systems used to provide essential services in key sectors.