Article 5 Minimum harmonisation

Summary What does Article 5 of the NIS 2 directive say?

This is a brief but important permissive clause that establishes the minimum harmonisation nature of the Directive.

Rather than setting a fixed ceiling on cybersecurity requirements, it explicitly allows Member States to go beyond what the Directive requires.

The single condition is that any stricter national provisions must remain compatible with Member States' broader obligations under Union law.

In essence, this article acts as a safeguard of national regulatory autonomy within the framework established by the Directive.

Important points:

Member States may adopt or maintain national cybersecurity rules that are stricter than those required by this Directive.
Any such provisions must remain consistent with Member States' obligations under Union law.
The Directive sets a floor, not a ceiling, for cybersecurity standards across the EU.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

This Directive shall not preclude Member States from adopting or maintaining provisions ensuring a higher level of cybersecurity, provided that such provisions are consistent with Member States’ obligations laid down in Union law.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.