From stricter reporting rules to a new cyber threat hub, the EU is upgrading its cybersecurity law

European Union flags flutter outside the European Commission headquarters in Brussels, Belgium, as the EU strengthens its cybersecurity legislation.

“We need to act to make our businesses, governments and society more resilient to hostile cyber operations,” an EU official said. Image: REUTERS/Yves Herman/File Photo

Spencer Feingold
Digital Editor, World Economic Forum
Filipe Beato
Lead, Centre for Cybersecurity, World Economic Forum
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: Centre for Cybersecurity

Listen to the article

  • The European Union is replacing its bloc-wide cybersecurity directive in an effort to bolster cyber resilience.
  • In particular, the legislation aims to protect critical infrastructure.
  • “If we are being attacked on an industrial scale, we need to respond on an industrial scale,” a top EU official said.

The European Union is set to make major upgrades to its bloc-wide cybersecurity framework for the first time in years.

In November, the EU Parliament and European Council approved the implementation of a new policy known as the Network and Information Security Directive 2 (NIS 2.0). The framework will replace the original NIS Directive, which was introduced in 2016 as the first EU-wide cybersecurity legislation.

“We need to act to make our businesses, governments and society more resilient to hostile cyber operations,” Bart Groothuis, the lead member of the European Parliament, said in a statement. “This European directive is going to help around 160,000 entities tighten their grip on security and make Europe a safe place to live and work.”

NIS 2.0 aims to bolster the EU’s cybersecurity capabilities and resilience by expanding its coverage to include more sectors as well as increasing and harmonizing baseline security requirements for member states. Notably, this expansion includes a focus on critical infrastructure like energy systems, health care networks and transportation services.

The directive also introduces new mechanisms to better facilitate cooperation among national authorities and establishes a new centre to oversee a coordinated response to major cyber attacks. The centre is called the European Cyber Crises Liaison Organisation Network—or the EU-CyCLONe.

“If we are being attacked on an industrial scale, we need to respond on an industrial scale,” Groothuis added.

Under the NIS 2.0 directive, the EU will also join the United States and other countries in mandating stricter incident reporting requirements. The legislation will mandate that organizations across the board report cyber breaches and attacks within 24 hours of becoming aware of the incident. Companies that fail to do so can face steep fines.

European Commission vice-presidents Margaritis Schinas and Josep Borrell, and EU Commissioner for Internal Market Thierry Breton attend a news conference on the EU's cybersecurity strategy, in Brussels, Belgium December 16, 2020. Kenzo Tribouillard/Pool via REUTERS
Top European Commission officials speak on the EU's cybersecurity strategy in Brussels in 2020. Image: REUTERS

NIS 2.0 has been in development for several years and is part of a wider EU campaign to engage stakeholders and bolster cybersecurity measures more broadly.

In fact, in 2021, the EU requested the World Economic Forum’s Cyber Resilience in Electricity community to provide comments on plans to improve cybersecurity legislation. “In view of the unprecedented digitalization in recent years, the feedback from member states and society, and the need for a more harmonized implementation across member states, the time has come to refresh it,” the Forum stated in its report.

Already, the EU has introduced new legislation to strengthen security requirements for digital hardware and software products and critical energy infrastructure.

Yet NIS 2.0 is being advanced as cyber attacks continue to rise in prevalence and sophistication—and continue to target critical infrastructure systems. In February, for example, major oil refining hubs in Belgium and the Netherlands were hit with a cyber attack. The hack interrupted the trade of refined products across the region.

“There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous,” Ivan Bartoš, the Czech deputy prime minister for digitalization and minister of regional development, said in a statement after the Council’s vote, adding that NIS2 is “another step to improve our capacity to counter this threat.”

NIS 2.0 is expected to come into effect in the coming weeks and EU member states will then have 21 months to incorporate the new provisions into their national legislation. EU-CyCLONe officials, however, have already begun large-scale cyber attack simulations to increase readiness.

“Cyberattacks are everywhere,” Thierry Breton, the EU commissioner for the internal market, said in a statement on the cyber training exercise. “It is our shared responsibility to work collectively in preparing and implementing rapid emergency response plans.”

Moreover, the Forum Cyber Resilience communities continue to foster multistakeholder dialogues to enhance and drive collective action and raise awareness to strengthen cyber resilience at a global scale. These incudes, among other initiatives, a cybersecurity learning lab that aims to help organizations across sectors understand and mitigate their cyber risk.

Have you read?
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

3 things CEOs must prepare to unlock the power of generative AI

Patrick Tsang

June 25, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum