Introduction
The Directive (EU) 2016/1148 on the security of network and information systems across the
Union1 (hereinafter referred to as “NIS Directive” or the “Directive”) adopted on 6 July, 2016
is the first EU horizontal legislation addressing cybersecurity challenges and a true game
changer for cybersecurity resilience and cooperation in Europe.
The Directive has three main objectives:
Improving national cybersecurity capabilities;
Building cooperation at EU level; and
Promoting a culture of risk management and incident reporting among key economic
actors, notably operators providing essential services (OES) for the maintenance of
economic and societal activities and Digital Service Providers (DSPs).
The NIS Directive is a cornerstone of the EU’s response to the growing cyber threats and
challenges which are accompanying the digitalisation of our economic and societal life, and
its implementation is therefore an essential part of the cybersecurity package presented on 13
September, 2017. The effectiveness of the EU’s response is inhibited as long as the NIS
Directive is not fully transposed in all EU Member States. This was also recognized as a
critical point in the Commission's 2016 Communication on Strengthening Europe's Cyber
Resilience System.2
The novelty of the NIS Directive and the urgency of tackling a fast evolving cyber-threat
landscape warrant particular attention to the challenges faced by all actors in ensuring the
timely and successful transposition of the Directive. In view of the transposition deadline of 9
May, 2018, and the deadline for the identification of operators of essential services of 9
November, 2018, the Commission has been supporting the Member States’ transposition
process and their work in the Cooperation Group to this end.
The present Communication with its annex is based on the Commission's preparatory work
and analysis related to the implementation of the NIS Directive thus far, on the input of the
European Agency for Network and Information Security (ENISA) and on the discussions held
with Member States in the transposition phase of the Directive, notably within the
Cooperation Group.3 This Communication complements the considerable efforts taken so far,
in particular through:
The intensive work of the Cooperation Group, which has agreed to a working plan
focusing predominantly on the transposition of the NIS Directive, and in particular on
the question of identification of operators of essential services and their obligations
concerning security requirements and incident notifications. While the Directive
1
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July, 2016 concerning measures
for a high common level of security of network and information systems across the Union. The Directive entered
into force on 8 August, 2016.
2
COM(2016) 410 final.
3
A mechanism for strategic cooperation between Member States under the NIS Directive, Article 11.
2