National Cybersecurity Strategies: The 10 Mandatory Policy Areas

NIS2 Article 7 mandates 10 policy areas in national cybersecurity strategies. Understand what Member States must address and why it matters.

Daniel Grigorovich
Daniel Grigorovich
Founder · 26 Jun 2026 · 10 min read
NIS2
National Cybersecurity Strategies: The 10 Mandatory Policy Areas

Who should read this: Government policy makers, national cybersecurity coordinators, sector regulators, strategic planners, policy advisors, European bureaucrats.

The NIS2 Directive recognises that individual entity compliance is necessary but insufficient to achieve a resilient digital Europe. Member States must also develop coherent national cybersecurity strategies that establish policies, coordinate actors, and channel resources towards shared goals. Article 7 of the NIS2 Directive requires each Member State to establish a national cybersecurity strategy addressing ten specific policy areas. These are not optional recommendations; they are mandatory. Member States have until October 2025 to revise their strategies to comply with NIS2. This post outlines the ten policy areas and explains why the Directive mandates them.

The requirement for national strategies is not new. Previous EU cybersecurity frameworks encouraged Member States to develop strategies. The difference under NIS2 is that strategies are mandatory, and their scope is defined. Article 7(2) lists ten areas that must be covered. These are: cybersecurity governance, skills development, research and innovation, public-private partnerships, cyber defence, active cyber protection, ransomware policy, SME support, vulnerability disclosure, and supply chain risk management.

This mandate reflects a philosophical shift. Cybersecurity is no longer a technical matter to be delegated to IT departments. It is a strategic matter requiring whole-of-government coordination. Member States that do not actively shape their cybersecurity landscape through policy risk finding themselves reactive, driven by crises rather than vision. The Directive, by mandating strategies covering specific areas, pushes Member States towards strategic thinking.

The Ten Mandatory Policy Areas

Article 7(2) requires Member States to address these ten areas in their national cybersecurity strategies:

  1. Governance and coordination: Member States must establish a clear governance structure for cybersecurity, including identification of the responsible authority, coordination mechanisms among government agencies, and alignment with broader digital and security policies.

  2. Expertise and skills development: Member States must develop policies to build cybersecurity expertise. This includes education, training, certification, and attracting talent to the public and private sectors. Recital 56 specifically notes that Member States should support cybersecurity education and create career pathways in cybersecurity.

  3. Research and development: Member States should invest in or support research in cybersecurity technologies, threat intelligence, and resilience. This includes funding for universities, research institutes, and public-private research initiatives.

  4. Public-private partnerships: Member States should establish frameworks for public and private entities to collaborate on cybersecurity. This includes information sharing, joint training, and coordinated response to major incidents.

  5. Cyber defence capabilities: Member States must maintain or develop capabilities to detect, prevent and respond to cyber attacks. For most Member States, this is primarily the responsibility of government-designated Computer Security Incident Response Teams (CSIRTs) and law enforcement agencies.

  6. Active cyber protection: Member States should develop policies supporting proactive, rather than merely reactive, cyber security. This includes offering free tools and services to entities, conducting threat hunting, and actively disrupting attacker infrastructure.

  7. Ransomware policy: Recital 54 specifically calls on Member States to develop a policy addressing the rise of ransomware attacks. This should cover detection, response, prevention and, critically, discouraging payment of ransom demands (which finance further attacks).

  8. Small and medium-sized enterprise support: Recital 56 requires Member States to address the specific needs of SMEs through guidance, assistance and technical support. This includes establishing a point of contact for SMEs, offering subsidised services, and tailoring policies to SME capabilities.

  9. Vulnerability disclosure and coordinated vulnerability remediation: Member States should establish policies and procedures for researchers to report vulnerabilities responsibly and for vendors to remediate them. This includes promoting ISO/IEC 30111 and ISO/IEC 29147 standards for vulnerability handling.

  10. Supply chain security: Member States should develop policies addressing supply chain risks, particularly for critical ICT dependencies. This includes assessing supply chain resilience, diversifying suppliers, and ensuring security standards in procurement.

Governance and Coordination

Effective national cybersecurity depends on coordination. In many European Member States, cybersecurity responsibility is fragmented. The Ministry of Defence manages military cyber defence. A dedicated cybersecurity agency handles critical infrastructure. Sector regulators (financial, telecom, energy) set requirements within their domains. Law enforcement agencies investigate cyber crimes. Universities conduct research. Private companies implement defences.

Without coordination, these actors work in silos. A threat intelligence report from law enforcement does not reach the financial sector. Private sector defences are not informed by government threat assessments. Research breakthroughs in universities do not reach practitioners. NIS2’s governance requirement pushes Member States to establish structures that bridge these gaps.

This typically means designating a lead agency responsible for national cybersecurity strategy, establishing inter-ministerial coordination committees, creating information-sharing mechanisms, and defining clear escalation procedures for major incidents. Some Member States have created dedicated cybersecurity centres that serve as coordination hubs. Others have given existing security or digital agencies expanded mandate. The specific structure varies, but the requirement is clear: coordination must be intentional and structured.

Expertise and Skills

Cybersecurity expertise is scarce. European universities produce far fewer cybersecurity graduates than the market demands. Experienced professionals are recruited globally, often to higher-paying positions outside Europe. Governments struggle to attract talent to public sector roles, offering lower salaries than private companies.

NIS2 pushes Member States to address this through education and skills development policies. This includes:

  • University education: Supporting cybersecurity degree programmes, ensuring that cybersecurity is taught across relevant disciplines (computer science, engineering, law, policy), and creating pathways from education to employment.
  • Vocational training: Developing certifications and training programmes for practitioners who may not have formal university education but want to enter the field.
  • Continuous learning: Supporting professional development so that experienced practitioners stay current as threats and technologies evolve.
  • Career pathways: Making government and critical infrastructure roles attractive to talented professionals through competitive compensation, interesting work, and professional advancement.
  • Diversity: Ensuring that cybersecurity is accessible to people from diverse backgrounds, recognising that diverse teams solve problems better and that excluding potential talent is wasteful.

Research and Innovation

Cybersecurity is a rapidly evolving field. Today’s defences become tomorrow’s vulnerabilities. Member States should invest in research to:

  • Develop more secure technologies: Research into cryptography, formal methods, secure coding practices, and defensive technologies.
  • Understand emerging threats: Research into attacker motivations, capabilities, and techniques, particularly as they evolve in response to defences.
  • Improve resilience practices: Research into how organisations can quickly detect, respond to and recover from attacks.
  • Support the ecosystem: Universities, research institutes, and start-ups developing cybersecurity products and services need investment and support.

NIS2 positions research not as an academic luxury but as a strategic imperative. Without research, Europe becomes dependent on technologies developed elsewhere, creating both geopolitical vulnerability and a skills gap as practitioners use foreign solutions they did not develop and cannot fully understand.

Public-Private Partnerships

Cybersecurity is not purely a government function. Critical infrastructure is operated mostly by private companies. Threats affect both sectors. Information about threats discovered in the private sector is valuable to government; threat intelligence from government helps private entities protect themselves.

Article 7(2)(h) requires Member States to develop policies supporting public-private partnerships (PPPs) in cybersecurity. Recital 55 explains: “Public-private partnerships (PPPs) in the field of cybersecurity can provide an appropriate framework for knowledge exchange, the sharing of best practices and the establishment of a common level of understanding among stakeholders.”

Effective PPPs typically include:

  • Information-sharing mechanisms: Formal arrangements through which private sector entities report threats and incidents to government, and government shares threat intelligence with private entities.
  • Joint training and exercises: Sector-wide incident response drills, tabletop exercises, and training that bring public and private actors together.
  • Standard-setting: Collaborative development of security standards, best practices, and technical specifications.
  • Incident response: Pre-agreed procedures for government to assist private entities during major cyber attacks.
  • Governance: Clear roles, responsibilities, confidentiality protections, and escalation procedures.

Cyber Defence and Active Protection

Member States must maintain capability to detect and respond to cyber attacks. This is primarily the role of government CSIRTs, but it requires:

  • Threat intelligence: Capability to collect, analyse and disseminate information about threats.
  • Forensics and incident response: Capability to investigate attacks, preserve evidence, and help victims respond.
  • Offensive capability: Some Member States develop limited offensive cyber capability to disrupt attacker infrastructure or attribute attacks with high confidence. This is contentious and raises legal and ethical questions.

Active cyber protection goes beyond responding to attacks. It includes proactively disrupting malware, offering free security tools to entities, conducting threat hunting, and working with international partners to undermine attacker capabilities.

Ransomware and Payment Discouragement

Ransomware is explicitly called out in NIS2 as a policy priority. Recital 54 states: “In recent years, the Union has faced an exponential increase in ransomware attacks, in which malware encrypts data and systems and demands a ransom payment for release. The increasing frequency and severity of ransomware attacks can be driven by several factors, such as different attack patterns, criminal business models around ‘ransomware as a service’ and cryptocurrencies, ransom demands, and the rise of supply chain attacks.”

Member States should develop ransomware-specific policies that address detection, response, prevention, and critically, discouraging ransom payment. Some Member States have launched awareness campaigns explaining that ransomware payment finances further attacks, often to organised crime groups or nation-states. Some have worked with financial institutions to make it harder to transfer ransom payments. The theory is sound: if no one pays ransoms, the business model collapses.

In practice, this is difficult. Ransomware victims face enormous pressure to pay to restore operations quickly. Some are insured, making payment painless from their perspective. Others negotiate ransom amounts down significantly. The policy shift under NIS2 is to make paying the exception, not the norm, through awareness, financial controls, and law enforcement.

SME Support Structures

Article 7(2)(i) requires that “the Member State provides support for small and medium-sized enterprises, including guidance and assistance with regard to the management of cybersecurity risks and the implementation of appropriate technical, organisational and operational measures.” Recital 56 elaborates that “Member States should have a point of contact for small and medium-sized enterprises at national or regional level, which either provides guidance and assistance to small and medium-sized enterprises or directs them to the appropriate bodies for guidance and assistance with regard to cybersecurity related issues.”

This is a practical recognition that SMEs lack in-house expertise and cannot always afford external consultants. Member States should establish support mechanisms:

  • Help desks or hotlines: A point of contact where SMEs can ask questions and get guidance.
  • Free tools and resources: Vulnerability scanning tools, configuration templates, security frameworks adapted for SME scale.
  • Subsidised assessments: Government-funded or subsidised security assessments so SMEs can understand their risks without prohibitive cost.
  • Training: Free or subsidised training programmes for SME staff on cybersecurity basics.
  • Information sharing: Regular threat intelligence and alerts tailored to SME sectors.

Vulnerability Disclosure

NIS2 requires Member States to establish policies on vulnerability disclosure, the process through which security researchers report vulnerabilities to vendors before public disclosure. Good vulnerability disclosure practices ensure that vulnerabilities are patched before attackers can exploit them widely.

Policies should cover:

  • Frameworks: Clear procedures for researchers to report vulnerabilities, vendors to acknowledge and fix them, and all parties to agree on disclosure timing.
  • Incentives: Bug bounty programmes or recognition for researchers who report vulnerabilities responsibly.
  • Standards: Alignment with ISO/IEC 30111 and ISO/IEC 29147, which provide international guidance.
  • Legal protection: Ensuring that researchers who report vulnerabilities in good faith are not prosecuted or sued for doing so.

Supply Chain Risk Management

The final policy area addresses supply chain risks. This includes working with industry to identify dependencies, encouraging supplier diversification, setting security standards in procurement, and conducting the coordinated supply chain assessments described in Article 22.

Key Takeaways

  • NIS2 Article 7(2) mandates that Member States develop national cybersecurity strategies addressing ten specific policy areas.
  • The ten areas are: governance, expertise and skills, research and innovation, public-private partnerships, cyber defence, active cyber protection, ransomware policy, SME support, vulnerability disclosure, and supply chain risk management.
  • National strategies are not aspirational; they are binding policy instruments that shape how Member States allocate resources and coordinate actors.
  • Governance and coordination are foundational; without coordination, different government agencies and private sector actors work in silos, reducing effectiveness.
  • Skills and research are strategic priorities; without domestic expertise and innovation, Europe becomes dependent on foreign technologies and faces barriers to deploying and understanding critical defences.
  • SME support recognises that most European businesses lack in-house cybersecurity expertise and need government assistance to meet baseline security standards.
  • Ransomware, vulnerability disclosure, and supply chain risk management are policy priorities specifically called out in NIS2 recitals as areas where Member States have played inadequate roles historically.
Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.