In this module, we focus on the core cybersecurity legislation in the EU - the NIS Directive (or the directive concerning measures for a high common level of security of network and information systems across the Union):

The primary aim of the Directive was to unify the regulatory architecture of cybersecurity measures across the common market and provide for a collaborative framework on the level of the EU. The following document summarizes the aims and content of the Directive:

In class, we will focus namely on the following aspects of the NIS Directive:

- constituency (subjects and systems covered)

- compliance (protective and preventive measures)

- incident reporting and functioning of CSIRTs

- institutions and powers (incl. cooperation on the EU-level)

Regulatory and cooperative measures introduced by the NIS Directive represent only a part of cybersecurity laws that were developed by the member-states - partly because some areas that are covered by national cybersecurity laws fall outside the EU domain. Also, the NIS Directive left quite a broad space for the member-states to decide whether and how various measures will be legislated and implemented. Consequently, there are big differences in national cybersecurity laws among the member-states as shown on the following reference page (the following resource is only informative - particular cybersecurity laws of member-states fall outside of the scope of this course):

As the Commission, as well as the member-states, recently gained extensive experience with the application of the NIS Directive, there has been held extensive debate about improving the EU cybersecurity regulatory framework. In result, there is currently pending a legislative draft that aims replacing the NIS Directive (referred also to as NIS II) with anticipated coming into force around the beginning of 2024.