Directive on Security of Network and Information Systems (NIS Directive)


    Directive on Security of Network and Information Systems (NIS Directive)

    Directive (EU) 2016/1148

    The Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. EU Member States were expected to: a) transpose the Directive into their national laws by 9 May 2018; and, b) to identify operators of essential services by 9 November 2018.

    Last Updated: July 30, 2019

  • General

    The security of network and information systems (NIS) is essential for the smooth functioning of the internal market. Network and information services play a vital role in many aspects of our increasingly digitized and interconnected society. In particular, they play an essential role in facilitating the cross border of movement of people, goods and services. The nature and the increasing frequency, magnitude, and impact of security threats represent a major challenge to the proper functioning of network and information systems. Disruption to NIS and Security threats can result in substantial financial losses, wholescale non-compliance and illegality across a wide range of laws and jurisdictions (e.g. data protection, financial laws and regulations, banking legislation, trade law, etc.) ultimately damaging the economy of the Union.

    In an effort to mitigate the risks posed by incidents involving NIS, the Directive lays down measures with a view to achieving a high common level of security across networks, information systems, and Member States. To that end, the Directive:

    • lays down certain obligations to set the tone;
    • creates a Cooperation Group to facilitate cooperation and information exchange between Member States;
    • creates the figure of Computer Security Incident Response Teams (CSIRTs) and a common network for those teams;
    • establishes security and notification requirements for operators of essential services and for digital service providers;
    • imposes on Member States the obligation to designate competent authorities, CSIRTs, and single points of contact;
    • imposes on each Member State the obligation to adopt a national strategy on the security of network and information systems;
    • defined a very specific deadline  (9 November 2018) for each Member State to identify the so-called operators of essential services for each sector (electricity, oil, gas, air, rail water and road transport, banking, financial market infrastructures, health sector, and the supply of drinking water);
    • requires each Member State to issue a publicly available national strategy on the security of NIS.


    ‘Operator of essential services’ is any public or private entities that rely on network and information systems to provide services which are essential to for the maintenance of critical societal and/or economic activities. A crucial element to determine whether an entity is an operator of essential services is the significance of the disruptive effect an incident involving their NIS would have on the provision of the service the entity provides. In order to determine the significance of a disruptive effect, Member States ought to observe the following criteria:

    • number of users relying on the service;
    • whether other sectors depend on the service provided by the affected entity;
    • the degree, duration and impact the incident has on economic and societal activities or public safety;
    • the market share of the affected entity;
    • the geographic spread of the (potentially) affected area;
    • the importance of the affected entity for maintaining a sufficient level of the service (e.g., whether there are other alternative means to provide that service); and,
    • other sector-specific factors.

    Where an operator provides essential services across two or more Member States, the relevant Member States shall engage in consultation with each other before a decision on identification is made.

    ‘NIS’ is any device or group of interconnected (through an electronic communications network) or related devices which perform automatic processing of digital data.

    ‘Electronic communications network’ means transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.

    ‘security of network and information systems’ means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

    ‘incident’ means any event having an actual adverse effect on the security of network and information systems.

    ‘risk’ means any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems.

    ‘internet exchange point (IXP)’ means a network facility which enables the interconnection of more than two independent autonomous systems, primarily for the purpose of facilitating the exchange of internet traffic.

    ‘online marketplace’ means a digital service that allows consumers and/or traders to conclude online sales or service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace.

    ‘cloud computing service’ means a digital service that enables access to a scalable and elastic pool of shareable computing resources

    Status of implementation

    The transposition of the Directive into national law has not been as smooth as expected considering the high priority of NIS security and resilience. On 9 July 2018, the European Commission issued a formal notice to 17 Member States requesting the full implementation of the NIS Directive: Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania, and Spain.

    To date, the implementation status is as follows:

    • Full transposition and details (of national strategy and single point of contact): Spain, Portugal, Estonia, Germany, the U.K., Croatia, Slovenia, Slovakia, the Czech Republic, Sweden, Cyprus, Finland, Malta, and Denmark.
    • Transposition in progress with details (of national strategy and single point of contact): Ireland, the Netherlands, Belgium, France, Luxembourg, Greece, Bulgaria, Poland. Partial transposition: Lithuania and Hungary (which, has not provided a national strategy).
    • Transposition without any details: Italy. Nothing: Austria and Romania.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.