Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 7 National cybersecurity strategy
Summary What does Article 7 of the NIS 2 directive say?
This is a foundational article that sits at the heart of the NIS2 Directive's national-level implementation requirements.
It obliges every Member State to adopt a national cybersecurity strategy, and is notably detailed in what that strategy must contain.
Beyond simply mandating the strategy's existence, the article sets out a comprehensive list of structural elements it must include — from governance frameworks and risk assessments to public awareness plans — as well as a separate set of specific policy areas that must be addressed within it, covering topics such as supply chain security, vulnerability management, public procurement, and SME resilience.
The article also establishes ongoing obligations: Member States must notify the Commission of their strategy and review it at least every five years using key performance indicators.
Important points:
- Member States are required to adopt a national cybersecurity strategy covering governance, risk assessment, incident preparedness, and public awareness as mandatory components.
- Member States must also adopt specific policies within that strategy addressing areas including ICT supply chain security, vulnerability disclosure, and cyber hygiene for SMEs excluded from the Directive's scope.
- ENISA is available to assist Member States, upon their request, in developing or updating their national cybersecurity strategy and the key performance indicators used to assess it.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Each Member State shall adopt a national cybersecurity strategy that provides for the strategic objectives, the resources required to achieve those objectives, and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include:
objectives and priorities of the Member State’s cybersecurity strategy covering in particular the sectors referred to in Annexes I and II;
a governance framework to achieve the objectives and priorities referred to in point (a) of this paragraph, including the policies referred to in paragraph 2;
a governance framework clarifying the roles and responsibilities of relevant stakeholders at national level, underpinning the cooperation and coordination at the national level between the competent authorities, the single points of contact, and the CSIRTs under this Directive, as well as coordination and cooperation between those bodies and competent authorities under sector-specific Union legal acts;
a mechanism to identify relevant assets and an assessment of the risks in that Member State;
an identification of the measures ensuring preparedness for, responsiveness to and recovery from incidents, including cooperation between the public and private sectors;
a list of the various authorities and stakeholders involved in the implementation of the national cybersecurity strategy;
a policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2557 for the purpose of information sharing on risks, cyber threats, and incidents as well as on non-cyber risks, threats and incidents and the exercise of supervisory tasks, as appropriate;
a plan, including necessary measures, to enhance the general level of cybersecurity awareness among citizens.
As part of the national cybersecurity strategy, Member States shall in particular adopt policies:
addressing cybersecurity in the supply chain for ICT products and ICT services used by entities for the provision of their services;
on the inclusion and specification of cybersecurity-related requirements for ICT products and ICT services in public procurement, including in relation to cybersecurity certification, encryption and the use of open-source cybersecurity products;
managing vulnerabilities, encompassing the promotion and facilitation of coordinated vulnerability disclosure under Article 12(1);
related to sustaining the general availability, integrity and confidentiality of the public core of the open internet, including, where relevant, the cybersecurity of undersea communications cables;
promoting the development and integration of relevant advanced technologies aiming to implement state-of-the-art cybersecurity risk-management measures;
promoting and developing education and training on cybersecurity, cybersecurity skills, awareness raising and research and development initiatives, as well as guidance on good cyber hygiene practices and controls, aimed at citizens, stakeholders and entities;
supporting academic and research institutions to develop, enhance and promote the deployment of cybersecurity tools and secure network infrastructure;
including relevant procedures and appropriate information-sharing tools to support voluntary cybersecurity information sharing between entities in accordance with Union law;
strengthening the cyber resilience and the cyber hygiene baseline of small and medium-sized enterprises, in particular those excluded from the scope of this Directive, by providing easily accessible guidance and assistance for their specific needs;
promoting active cyber protection.
Member States shall notify their national cybersecurity strategies to the Commission within three months of their adoption. Member States may exclude information which relates to their national security from such notifications.
Member States shall assess their national cybersecurity strategies on a regular basis and at least every five years on the basis of key performance indicators and, where necessary, update them. ENISA shall assist Member States, upon their request, in the development or the update of a national cybersecurity strategy and of key performance indicators for the assessment of that strategy, in order to align it with the requirements and obligations laid down in this Directive.
Relevant recitals
Recital 48 National cybersecurity strategies
For the purpose of achieving and maintaining a high level of cybersecurity, the national cybersecurity strategies required under this Directive should consist of coherent frameworks providing strategic objectives and priorities in the area of cybersecurity and the governance to achieve them. Those strategies can be composed of one or more legislative or non-legislative instruments.
Recital 97 Undersea communication cables
The internal market is more reliant on the functioning of the internet than ever. The services of almost all essential and important entities are dependent on services provided over the internet. In order to ensure the smooth provision of services provided by essential and important entities, it is important that all providers of public electronic communications networks have appropriate cybersecurity risk-management measures in place and report significant incidents in relation thereto. Member States should ensure that the security of the public electronic communications networks is maintained and that their vital security interests are protected from sabotage and espionage. Since international connectivity enhances and accelerates the competitive digitalisation of the Union and its economy, incidents affecting undersea communications cables should be reported to the CSIRT or, where applicable, the competent authority. The national cybersecurity strategy should, where relevant, take into account the cybersecurity of undersea communications cables and include a mapping of potential cybersecurity risks and mitigation measures to secure the highest level of their protection.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
ICT product
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
ICT service
Definition
cyber threat
Definition
public electronic communications network
Definition
entity
Definition
cybersecurity
Definition
vulnerability
Definition
national cybersecurity strategy