Who should read this: Policymakers, Government Officials, Strategic Planners.
The NIS2 Directive is more than a set of operational requirements for organisations managing critical infrastructure. It is also a framework for Member State governance: it requires governments to establish comprehensive national strategies for cybersecurity, designate authorities, coordinate sectoral oversight, and assess national risk. Article 7 establishes the mandate.
Article 7 requires each Member State to develop and maintain a national cybersecurity strategy addressing strategic objectives, sectoral approaches, and risk assessment. The strategy is not a detailed compliance manual; it is a policy framework guiding the government’s approach to cybersecurity across sectors, and informing the designation of authorities, the scope of regulations, and public-private cooperation.
For policymakers and government officials, understanding Article 7 requirements clarifies the scope of strategic obligations and the relationship between national strategies and the designated authorities and regulatory bodies that implement NIS2. This post unpacks Article 7, explores the elements of a compliant national strategy, and discusses how national strategies inform sectoral implementation.
Article 7 Requirements: The Core Elements
Article 7 requires Member States to develop and maintain a national cybersecurity strategy that includes:
Strategic objectives: The strategy must define what the Member State aims to achieve through cybersecurity governance. Strategic objectives might include: protecting critical infrastructure from cyber threats, ensuring the continuity of essential services, developing domestic cybersecurity capabilities (research, skills, industry), and enhancing international cooperation on cyber threats.
Sectoral approach: The strategy must address cybersecurity across sectors, recognising that different sectors face different threats and have different risk profiles. The strategy should identify which sectors are most critical, what risks each faces, and what governance approach is appropriate.
Risk assessment: The strategy must be informed by a national cybersecurity risk assessment identifying the major threats facing the nation, the vulnerabilities in critical systems, and the potential impact of major incidents. This assessment guides prioritisation of resources and governance focus.
Governance and institutional framework: The strategy should define which authorities are responsible for cybersecurity oversight in each sector, how authorities coordinate, and how the public and private sectors cooperate.
Sectoral governance: Within the strategy, Member States address each critical sector (energy, healthcare, transport, digital infrastructure, etc.) with governance approaches reflecting the sector’s characteristics. This may include sector-specific authorities, sector-specific standards, and sector-specific incident response procedures.
The strategy is not a static document; it should be reviewed and updated periodically (typically every 2-3 years) to reflect evolving threats, technological changes, and lessons learned from incidents.
Strategic Objectives and Policy Direction
The strategic objectives element of a national cybersecurity strategy articulates the government’s cybersecurity priorities. Strategic objectives might include:
Deterrence and attribution: Establishing capabilities to attribute cyber attacks to threat actors and imposing costs on attackers (through sanctions, indictments, or counter-operations). This requires intelligence agencies, law enforcement, and international cooperation.
Critical infrastructure protection: Ensuring that the essential services most critical to national functioning (energy, healthcare, finance, communications) are resilient to cyber attacks. This requires governance frameworks, regulatory oversight, and public-private partnerships.
Capability development: Building domestic cybersecurity capabilities through education, skills development, research investment, and support for the domestic cyber industry. This recognises that cybersecurity is a competitive advantage and that dependencies on foreign suppliers of cybersecurity tools or expertise create strategic vulnerabilities.
International cooperation: Establishing partnerships with other governments and international organisations to share threat intelligence, coordinate on cyber diplomacy, and develop norms against destructive cyber operations.
Citizens and SME security: Extending cybersecurity awareness and basic security practices to citizens and small and medium enterprises, reducing the prevalence of compromised personal devices and small business networks.
Each strategic objective translates into concrete policies: for example, a deterrence objective might require investment in cyber threat attribution capabilities; a critical infrastructure protection objective might require sectoral governance frameworks; a capability development objective might require education investments and R&D funding.
Sectoral Approach: Recognising Differences Across Industries
The sectoral approach element recognises that different sectors face different cybersecurity challenges and require different governance responses. A national strategy typically addresses major sectors:
Energy (power generation, distribution, gas networks): Energy systems are highly interconnected and span multiple countries (electricity grids are cross-border). Disruptions cascade rapidly. Governance must address both physical security and cybersecurity, and must coordinate with neighbouring countries.
Healthcare (hospitals, pharmaceuticals, medical device manufacturers): Healthcare systems are life-critical; cyber incidents can directly affect patient safety. Governance must balance security with operational flexibility (clinical staff must be able to respond rapidly to patient needs) and must protect highly sensitive personal health data.
Finance (banks, payment systems, financial markets): Financial systems are systemically important; disruptions cascade through economies. Governance must address operational continuity and fraud prevention.
Transport (aviation, rail, maritime, road): Transport systems are critical to goods and passenger movement across the EU. Governance must address safety-critical aspects and cross-border coordination.
Digital infrastructure (cloud providers, DNS services, content delivery networks): Digital infrastructure providers are embedded in nearly all other critical sectors. A disruption at a major cloud provider affects healthcare, finance, e-commerce, and others.
Telecommunications: Telecommunications networks carry critical services (emergency communications, financial transactions, infrastructure control). Governance must address both service continuity and wiretapping/surveillance safeguards.
For each sector, the national strategy addresses:
Sector-specific threats: What are the main cyber threats to this sector? Who are likely adversaries? What are likely attack vectors?
Sector-specific vulnerabilities: What characteristics of the sector create cybersecurity vulnerabilities? (E.g., healthcare’s legacy medical devices; energy’s reliance on industrial control systems; finance’s high-speed trading systems.)
Sector-specific governance: Which authority oversees cybersecurity in this sector? What regulations apply? How does the sector cooperate with government on threats and incidents?
Sector-specific capabilities and resilience: What capabilities does the sector possess for detecting and responding to incidents? What gaps exist?
National Risk Assessment
Article 7 requires that the national strategy be informed by a national cybersecurity risk assessment. This assessment identifies the major cyber threats facing the Member State and the vulnerabilities in critical systems, and assesses the potential impact of major incidents.
A national risk assessment might identify, for example:
Geopolitical threats: Cyber operations by particular nations or state-sponsored groups targeting the Member State. These might be characterised by nation, motive (espionage, disruption, disinformation), target sectors, and typical attack patterns.
Ransomware threats: The prevalence and characteristics of ransomware attacks, typical target sectors, and ransom demands.
Insider threats: The prevalence of data theft, sabotage, or disruption by insiders (current or former employees).
Supply chain vulnerabilities: Dependencies on software or hardware from particular suppliers, and risks of compromise at the supplier.
Systemic vulnerabilities: Common vulnerabilities in critical systems, e.g., reliance on particular software platforms, shared infrastructure dependencies, or legacy systems unable to be patched.
Capability gaps: Areas where the nation’s defensive capabilities are weak, e.g., insufficient skilled cybersecurity personnel, limited forensic investigative capabilities, or weak CSIRT resources.
The risk assessment informs prioritisation: resources are directed toward the greatest risks.
Governance Framework and Authority Designation
Article 7 requires that the national strategy articulate the governance framework through which cybersecurity is coordinated. This includes:
Authority designation: Which government body or bodies are responsible for cybersecurity oversight? Is there a single national cybersecurity authority, or are responsibilities distributed across sector-specific regulators?
Coordination mechanisms: How do authorities coordinate? Is there a national coordination body (e.g., a Cooperation Group national level, or an inter-ministerial committee)?
Public-private partnerships: How does government engage with private sector entities (essential service providers, vendors, critical infrastructure operators)? What communication channels exist for information sharing, threat notification, and incident coordination?
International coordination: How does the Member State coordinate with other EU Member States and with international partners on cyber threats and incident response?
Sectoral Governance Implementation
Within the overall national strategy, Member States address each critical sector with specific governance approaches. This sectoral governance translates the strategy into operational frameworks. For example, a sectoral governance approach for healthcare might include:
Designation of a health sector authority (e.g., the health ministry or a dedicated health IT agency) responsible for NIS2 implementation in healthcare.
Identification of healthcare essential service providers (hospitals, pharmaceutical manufacturers) subject to NIS2.
Establishment of sector-specific guidance clarifying proportionate cybersecurity measures for healthcare entities of different sizes.
Development of health sector-specific incident response procedures, recognising the unique challenges of incident response in clinical settings.
Coordination with health regulators (medical device authorities, pharmaceutical regulators) to align cybersecurity with existing product safety regulation.
Engagement with healthcare provider associations, hospital networks, and vendor groups to communicate expectations and facilitate compliance.
Evolution and Updating of National Strategies
National cybersecurity strategies are not static documents. They should be reviewed and updated periodically (typically every 2-3 years, and more frequently if major incidents or threat developments warrant).
Updates might address:
Evolving threats: As new threat actors emerge or attack patterns change, the strategy should be updated to reflect changing threat landscape.
Technological change: As new technologies emerge (e.g., artificial intelligence, quantum computing, cloud computing), the strategy should address their cybersecurity implications.
Regulatory change: As new EU directives are implemented or existing regulations are amended, the national strategy should align.
Lessons learned: Major incidents or breach investigations often reveal systemic vulnerabilities. The strategy should be updated to address identified gaps.
Effectiveness assessment: Periodic assessment of whether the strategy is achieving its objectives, and what adjustments are needed.
Relationship to NIS2 Operational Requirements
It is important to note the relationship between Article 7 (national strategies) and Articles 20-26 (operational requirements for designated entities). Article 7 establishes the strategic policy framework; Articles 20-26 establish operational requirements for organisations managing critical infrastructure.
The national strategy is not itself the set of operational requirements. Instead, the national strategy provides the policy context and governance framework within which operational requirements are defined, authorities are designated, and entities are regulated.
In practice, this means:
A national strategy articulating strategic objectives and sectoral approaches informs which authorities are designated to regulate each sector.
Competent authorities, informed by the national strategy, promulgate sector-specific guidance clarifying what proportionate cybersecurity measures look like in their sectors.
Designated entities, knowing the national strategy and sectoral guidance, implement proportionate measures tailored to their size, sector, and risk profile.
The strategy also informs international engagement: Member States use national strategies as the basis for discussing EU cybersecurity priorities with peer Member States and in EU coordination mechanisms.
Key Takeaways
- Article 7 requires Member States to develop and maintain national cybersecurity strategies addressing strategic objectives, sectoral approaches, and risk assessment.
- Strategic objectives define what the Member State aims to achieve: protecting critical infrastructure, developing domestic capabilities, enhancing international cooperation, and building public-private partnerships.
- Sectoral approach recognises that different sectors (energy, healthcare, finance, transport, digital infrastructure) face different threats and require different governance responses.
- National cybersecurity risk assessment identifies major threats and vulnerabilities facing the Member State and informs prioritisation of government resources and focus.
- Governance framework articulates which authorities are responsible for cybersecurity oversight, how authorities coordinate, and how public and private sectors cooperate.
- National strategies are living documents, reviewed and updated periodically (every 2-3 years) to reflect evolving threats, technological changes, and lessons learned.
- The national strategy provides the strategic policy context for NIS2 implementation; it informs authority designation and sectoral guidance, but does not directly impose operational requirements on entities (which are established in Articles 20-26).
