A Systematic Literature Review on the NIS2 Directive
Jukka Ruohonen
TL;DR
The paper tackles the challenge of understanding how academic research engages with the EU NIS2 directive, which broadens cyber security requirements for critical infrastructure. It conducts a systematic literature review of 37 peer-reviewed publications, most from 2024, focusing on legal framings and application contexts. The findings reveal heavy reliance on cross-referencing with other EU laws (notably the CRA, GDPR, DSA) and a wide array of technology contexts, highlighting gaps in evaluation research and practical deployment studies. The work provides a roadmap for future research and policy-oriented analysis to support the effective implementation of NIS2 across EU member states.
Abstract
A directive known as NIS2 was enacted in the European Union (EU) in late 2022. It deals particularly with European critical infrastructures, enlarging their scope substantially from an older directive that only considered the energy and transport sectors as critical. The directive's focus is on cyber security of critical infrastructures, although together with other new EU laws it expands to other security domains as well. Given the importance of the directive and most of all the importance of critical infrastructures, the paper presents a systematic literature review on academic research addressing the NIS2 directive either explicitly or implicitly. According to the review, existing research has often framed and discussed the directive with the EU's other cyber security laws. In addition, existing research has often operated in numerous contextual areas, including industrial control systems, telecommunications, the energy and water sectors, and infrastructures for information sharing and situational awareness. Despite the large scope of existing research, the review reveals noteworthy research gaps and worthwhile topics to examine in further research.