In 2016 the European parliament and Council adopted regulations regarding security of network and information systems across the Union called the NIS Directive.

Directive EU 2016/1148

The directive is a part of EUs cybersecurity strategy, and the goal is to enhance cybersecurity across the union. In 2018 the Directive was implemented in Swedish law (2018:1174).

Swedish law 2018:1174, (in swedish)

The NIS Directive has three parts

  1. National capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g. they must have a national CSIRT, perform cyber exercises, etc.
  2. Cross-border collaboration: Cross-border collaboration between EU countries, e.g. the operational EU CSIRT network, the strategic NIS cooperation group, etc.
  3. National supervision of critical sectors: EU Member states have to supervise the cybersecurity of critical market operators in their country: Ex-ante supervision in critical sectors (energy, transport, water, health, digital infrastructure and finance sector), ex-post supervision for critical digital service providers (online market places, cloud and online search engines)
    NIS Directive — ENISA (

Proposal for a new NIS Directive (NIS 2.0)

With the proposal the EU aims to adapt the current needs and make the Directive future-proof. It has added new sectors based on their criticality for the economy and society. The proposal introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States. It also also eliminates the distinction between operators of essential services and digital service providers.

The proposal strengthens security requirements for the companies, by imposing a risk management approach providing a minimum list of basic security elements that have to be applied. 

Proposal for directive on measures for high common level of cybersecurity across the Union, European Commission

Proposal - directive of the european parliament and of the council, EUR-Lex

What happens next?

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the two co-legislators. Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to transpose the Directive into national law.

Commission welcomes political agreement on new rules on cybersecurity of network and information systems, European Commission

  • Denmark

    In Denmark, the NIS Directive has been implemented on a sector basis. Thus, each separate sector authority has the responsibility to implement necessary legislation and identification of Operator of Essential Services. In a Danish context, it is the responsibility of the Danish Energy Agency to implement, monitor, and report to the National Contact Point (The Danish Centre for Cyber Security).

    In the energy sector, the NIS Directive has been implemented for the electricity, natural gas and oil sectors, where existing legislation has formed the scope for the companies that are considered operators of essential services.

  • Iceland