This paper was converted on www.awesomepapers.org from LaTeX by an anonymous user.
Want to know more? Visit the Converter page.

A Systematic Literature Review on the NIS2 Directive

\nameJukka Ruohonenra CONTACT Jukka Ruohonen. Email: [email protected] a University of Southern Denmark, Sønderborg, Denmark
Abstract

A directive known as NIS2 was enacted in the European Union (EU) in late 2022. It deals particularly with European critical infrastructures, enlarging their scope substantially from an older directive that only considered the energy and transport sectors as critical. The directive’s focus is on cyber security of critical infrastructures, although together with other new EU laws it expands to other security domains as well. Given the importance of the directive and most of all the importance of critical infrastructures, the paper presents a systematic literature review on academic research addressing the NIS2 directive either explicitly or implicitly. According to the review, existing research has often framed and discussed the directive with the EU’s other cyber security laws. In addition, existing research has often operated in numerous contextual areas, including industrial control systems, telecommunications, the energy and water sectors, and infrastructures for information sharing and situational awareness. Despite the large scope of existing research, the review reveals noteworthy research gaps and worthwhile topics to examine in further research.

keywords:
cyber security regulations, criticality, critical infrastructure, risk management, information sharing, situational awareness, public administration, NIS2, CRA, EU

1 Introduction

Europe, like all regions in the world, is facing an ever-increasing trend of digitalization. With increasing digitalization comes also increasing cyber security risks. At the same time, geopolitical conflicts and tensions have emerged throughout the world, and technological development progresses rapidly. These and other “mega-trends” affect cyber security too. Given this state of affairs, the EU has recently adopted many new cyber security regulations. Among these is the NIS2 directive. It repeals an older 2016 directive that addressed the cyber security of network and information systems (NIS). The older directive was an important historical part in the evolution of the EU’s overall cyber security framework. In terms of public sector administration and governance, it was built upon national computer security incident response teams (CSIRTs), which too are an important part of the global evolution of cyber security governance (Skopik et al.,, 2016). The new NIS2 directive builds upon this evolutionary trajectory, further strengthening CSIRTs and their coordination with private sector actors.

Coordination is important because many—if not the most—of the Europe’s critical infrastructures are either owned or operated by private sector entities. The NIS2 directive categorizes these entities into two groups: essential and important. More requirements are imposed upon the former group. In general, the demarcation between the two groups is done by relying on the concept of criticality, which in the NIS2’s Article 2 mostly refers to “critical societal or economic activities”. With this concept, eleven sectors of high criticality are listed in the directive’s Annex I. These include traditional critical infrastructure sectors, such as the energy and transport sectors, as well as banking, healthcare, and central government administration. In addition, Annex II provides a further listing of other critical sectors, including postal services, waste management, research institutions, and providers of digital services, whether online marketplaces or search engines. Already these exhaustive listings make the NIS2 directive highly relevant for the research domain investigating critical infrastructures.

Many reviews (e.g., Mikac,, 2023) have already been published about the NIS2 directive and its relation to critical infrastructure protection in Europe. However, thus far, a review has been lacking about the research addressing NIS2 either explicitly or implicitly. Against this backdrop, the paper presents a systematic literature review (SLR) about NIS2-related research. The goal is thus not a comprehensive review of the NIS2 directive itself—instead, the motivation and focus are on the aspects existing research have considered relevant or interesting about the directive, and on which particular contexts the directive has been discussed in the academic literature. On these notes, Section 2 elaborates the SLR approach used for retrieving the literature. Then, the review is presented in Section 3 after which the conclusion follows in Section 4.

2 Methods

The search procedure for the SLR was simple: the databases of six scientific publishers were queried with a string “NIS2 AND directive”, where AND is a Boolean operator. The word directive was necessary because the acronym NIS2 refers to other things in biomedical and related sciences. With two exceptions, the searches were restricted to abstracts. The first exception is the Elsevier’s ScienceDirect database for which a search was restricted to abstracts, titles, and keywords supplied by authors. The second exception is the Springer’s database that does not allow searches to be restricted to specific elements in publications. For this database, “NIS2 directive” (with the quotation marks) was used as a search term. With respect to SLRs in general, these two exceptions demonstrate that the long-lasting problem with publishers’ databases is still present (Kitchenham et al.,, 2009). Then, regarding the other crucial factor in SLRs, the exclusion criteria, publications were only qualified insofar as they (1) were peer reviewed, (2) were written in English, and (3) discussed the NIS2 directive explicitly with more than three sentences. The last exclusion criterion ensured that publications merely mentioning the NIS2 directive in passing did not enter into the sample.

As can be seen from the illustration in Fig. 1, the final sample contains 3737 publications. Most of these were published by Springer. Conventional scientific articles and publications in peer reviewed conference proceedings are the most common publication types, although the sample contains also a few monographs and edited collections.

Refer to caption
Figure 1: The Literature Search

The reason for the relatively small amount of papers is likely partially explained by the fact that NIS2 is still rather new. This point manifests itself also in that all publications sampled are relatively new; the majority was published in 2024. Although the deadline for national transpositions of the NIS2 directive was in October 2024, as specified in the NIS2’s Article 41, the implementation work continues also thereafter. For instance, the deadline for the member states to identify their critical entities is in April 2025 according to Article 3(3). Already these deadlines and other schedules imply that practical evaluation research is missing from the sample. While critical reflections have been published, it is understood in the literature that evaluations can only be done after the directive has been operational for a sufficient amount of time (Ruohonen,, 2024). Against this backdrop, it seems fair to assume that in the future also evaluation work will be published, whether the work is about legal analyses of national adaptations, administration and enforcement, or the actual cyber security impact. In any case, the little below forty papers avoids the common feasibility (Kitchenham et al.,, 2009), or breadth and depth (Fisch and Block,, 2018), obstacles often encountered in SLRs.

3 Review

The review of the 3737 publications is presented by focusing on two broad themes: the framing presented in the publications with respect to other EU laws and the EU’s jurisprudence in general, and the technological or other application contexts the publications have focused on. The former theme is important because it helps to understand how the publications have generally understood and approached the EU’s cyber security governance framework. It is also important because the sample contains legal scholarship too. Then, the second theme is relevant because it allows to understand the contexts academic research has considered relevant or interesting in terms of the NIS2 directive. Both themes are also relevant regarding the common rationale behind SLRs, the examination whether there are notable gaps in existing knowledge. Before continuing, a remark about presentation should be made: because the review mixes also a few relevant publications that are not part of the actual sample, the publications belonging to the SLR per se are enumerated and identified in two tables soon presented.

3.1 Legal Framings

The legal framings done in the publications are summarized in Table 1. As can be seen, quite a few other EU laws have been frequently discussed in conjunction with the NIS2 directive. The large amount of related laws discussed prompts the first critical reflection: many publications have merely pointed out or even enumerated EU laws without any deeper analysis. While it is important to acknowledge the existence of regulations, it remains debatable what scholarly purposes brief listings or footnote-like mentions serve. The second point is that some publications have connected the large amount of EU laws to an argument that complexity and regulatory fragmentation have increased (Chiara, 2022b, ; de Vasconcelos Casimiro,, 2023; Ruohonen,, 2024). The third point is that only five publications have discussed the NIS2 directive in relation to the Critical Entities Resilience (CER) directive.111 Directive (EU) 2022/2557. This point is important and somewhat surprising because the NIS2 and CER directives are Siamese twins. In particular, both directives operate with the same critical entities, the identification of which should be synchronized in national adaptations to ensure sound administration and enforcement.

Table 1: Legal Framings
Framing towards Publications
The CER de Vasconcelos Casimiro, (2023); Möller, (2023); Muñoz-Navarro et al., (2025); Ruohonen, (2024); Wysocki, (2024)
The CRA Chiara, 2022a ; Eckhardt and Kotovskaia, (2023); Jara et al., (2024); Krauze and Grabis, (2024); Meagher and Dhirani, (2024); Ruohonen, (2024); Shaffique, (2024); Wylde et al., (2023)
The CSA Ellul et al., (2023); Meagher and Dhirani, (2024); Shaffique, (2024)
The CSOA Krauze and Grabis, (2024); Ruohonen, (2024)
The DSA Wylde et al., (2023)
The DORA Bobbert and Timmermans, (2024); de Vasconcelos Casimiro, (2023)
The e-privacy directive Meagher and Dhirani, (2024)
The GDPR Krauze and Grabis, (2024); Meagher and Dhirani, (2024); Wylde et al., (2023)
The MDR Chiara, 2022b
The PSD2 Gounari et al., (2024)
The NIS directive Martino, (2024); Vandezande, (2024); Veigurs et al., (2024)
The RED Chiara, 2022b
National laws in the EU Grotto and Schallbruch, (2021); Martino, (2024); Schmitz-Berndt and Chiara, (2022); Wanecki et al., (2023)
National laws in other countries Grotto and Schallbruch, (2021); Malone and Walton, (2023); Veigurs et al., (2024); Wylde et al., (2023)

The fourth point is that NIS2 has perhaps a little surprisingly been frequently discussed in conjunction with the Cyber Resilience Act (CRA).222 Regulation (EU) 2024/2847. A possible explanation might be that these two EU laws have been perceived as particularly relevant and important in terms of cyber security—a sentiment with which the author of this paper would also agree. Though, with respect to legal background, the two are rather different because the CRA’s background and logic are strongly motivated by and built upon the EU’s product safety laws and consumer protection jurisprudence in general (Chiara, 2022a, ). Another foundational divergence is related: the NIS2 directive is on the side of critical infrastructure protection, including with respect to services vital to the functioning of European societies, whereas the CRA seeks to improve cyber security of software and hardware products. Given these fundamental divergences, the rationale behind many studies has been comparative; to evaluate whether and where there are still similarities. In this regard, the reporting and communication obligations imposed by the two laws have been investigated with an argument that synchronization would again be desirable to the extent possible (Chiara, 2022a, ). In addition, common traits have been found in terms of risk analysis and risk management, definitions regarding criticality, incident handling, and market surveillance provisions (Eckhardt and Kotovskaia,, 2023; Jara et al.,, 2024; Shaffique,, 2024). These research results and arguments thereto are related to the earlier point about complexity and fragmentation. If the arguments are true, better coordination during policy-making could have perhaps prevented regulatory fragmentation, duplication, and general policy incoherence.

Also many other EU laws have been frequently mentioned when discussing NIS2. Among these is the Cyber Security Act (CSA), the law proposal for a Cyber Solidarity Act (CSOA), and the so-called e-privacy directive.333 Regulation (EU) 2019/881, COM(2023) 209 final, and Directive 2002/58/EC, respectively. These further laws lead to the fifth point: many of the additional laws were often discussed because they were relevant in a particular context a publication operated. For instance, a publication investigating the so-called metaverse expectedly discussed also the General Data Protection Regulation (GDPR), further raising points regarding the Digital Services Act (DSA).444 Regulation (EU) 2016/679 and Regulation (EU) 2022/2065, respectively. Another example would be the several publications operating in the Internet of things (IoT) domain. Here, not only is the CRA relevant, but also the older Radio Equipment Directive (RED) applies.555 Regulation (EU) 2024/2847 and Directive 2014/53/EU, respectively. A similar point applies to medical devices, which are excluded from the CRA’s scope, but to which the Medical Devices Regulation (MDR) applies.666 Regulation (EU) 2017/745. A further example would be the couple of publications operating in the domain of banking and finance. In this domain the PSD2 and DORA laws are relevant.777 Directive (EU) 2015/2366 and Regulation (EU) 2022/2554, respectively. Finally, there is the NIS2’s predecessor, the old NIS directive.888 Directive (EU) 2016/1148. In this regard, three publications have taken an always sensible approach to investigate what is really new.

As if the multitude of EU laws would not be enough, particularly legal scholarship but also others have further investigated national laws in Europe, including the transpositions of the EU laws, as well as related cyber security laws in other, non-European countries. The examples include comparisons of cyber security laws and cyber security governance in Germany and the United States (Grotto and Schallbruch,, 2021), Germany and Italy (Schmitz-Berndt and Chiara,, 2022), Canada and the EU (Malone and Walton,, 2023), Australia, Canada, the EU, and the United States (Veigurs et al.,, 2024), and the EU and the United Kingdom (Wylde et al.,, 2023). In addition, there are a couple of publications investigating similar topics with national case studies focusing on Italy (Martino,, 2024) and the Czech Republic (Wanecki et al.,, 2023). Despite some progress, a critical but reasonable argument can be raised that the existing knowledge is very limited and fragile regarding particularly the international scene. It also seems unlikely that SLRs alone could address this limitation. Instead, it might be more reasonable to tackle the knowledge gap with longer term pursuits involving international conferences, edited collections, special issues in journals, and by other related means.

3.2 Contexts

The NIS2 directive has been discussed in a number of different contexts, some of which are directly related to distinct technologies and some others of which are more generally about cyber security. The study contexts are summarized in Table 2. For unpacking the table, it can be started by noting the couple of publications that have addressed the NIS2 directive in a context involving industrial control systems, including supervisory control and data acquisition (SCADA) systems, and related technologies. The more specific contexts are threat modeling and risk analysis for industrial control networks (Meagher and Dhirani,, 2024) and a cyber security analysis of water towers (Katulić et al.,, 2024). Industrial control and SCADA systems are generally good examples because they are often seen as being the primary technological components behind critical infrastructures (Lehto,, 2022). Furthermore, water towers are a relevant example because both drinking water and waste water are specified as critical entities in the NIS2 directive. In addition, the energy sector too is specified as a critical entity; in fact, NIS2 specifies anything and everything related to electricity, heating and cooling, oil, gas, and hydrogen as being critical. To this end, the unpacking can be continued by noting a couple of publications operating in the energy sector context. The first of these two publications is about using digital twins to monitor smart grids (Coppolino et al.,, 2024). The second is a more general policy analysis, including with respect to NIS2, which recommends policy markers to consider new technologies, such as artificial intelligence (AI), cyber security training and education, and improved coordination to tackle cyber threats affecting the energy sector (Mersni et al.,, 2024). There are also other contexts explicitly related to the Europe’s critical infrastructures.

Table 2: Study Contexts
Domain Publications
Assurance Ellul et al., (2023)
Cloud computing Walden and Michels, (2024)
Deception and camouflage Wysocki, (2024)
Digital twins Coppolino et al., (2024)
Energy and smart grids Coppolino et al., (2024); Mersni et al., (2024)
Industrial control systems Katulić et al., (2024); Meagher and Dhirani, (2024)
Information sharing infrastructures Giunta et al., (2025); Muñoz-Navarro et al., (2025); Skias et al., (2022)
Internet of things Chiara, 2022b ; Coppolino et al., (2024); Chiara, (2024); Jara et al., (2024); Shaffique, (2024)
Metaverse Wylde et al., (2023)
Security management infrastructures Bocianiak et al., (2024)
Smart cities Horalek et al., (2024)
Security awareness Schaberreiter et al., (2022)
Security standards Krauze and Grabis, (2024); Meagher and Dhirani, (2024)
Telecommunications Almagro, (2023); Casaril and Galletta, (2024); Henze et al., (2024); Schaberreiter et al., (2023)
Zero trust Bobbert and Timmermans, (2024)

As could be expected, also telecommunications and computer networking have been a context for discussing the NIS2 directive. These belong to the NIS2’s critical digital infrastructure category, which covers not only electronic telecommunications networks but also many related critical infrastructures, including content delivery networks (CDNs), data centers, top-level domain (TLD) name registries, and domain name system (DNS) service providers. Regarding the publications operating in this context, local and regional networks (Schaberreiter et al.,, 2023), cellular 5G networks (Henze et al.,, 2024), and satellite communication networks (Casaril and Galletta,, 2024) have been contextualized with respect to NIS2. Satellite communication networks are an interesting case because these fall partially to the NIS2’s category of critical space technologies. It can be also mentioned that AI has again been a motivating technology in this context too; it is seen to enhance monitoring, situational awareness, vulnerability and anomaly detection, and even so-called self-healing (Schaberreiter et al.,, 2023). As a broad and arguably somewhat vague concept (Franke and Brynielsson,, 2014), situational awareness is also a suitable overall theme for characterizing a mixture of distinct publications dealing with information sharing and associated infrastructures.

The information sharing and situational awareness context involves ambitious projects trying to combine several layers of European critical infrastructures, including everything from industrial control and SCADA systems to video surveillance, drones, and digital twins to improve cross-country and cross-sectoral risk analysis and incident management (Giunta et al.,, 2025). In a similar vein, there is also a large-scale project trying to address the risk analysis obligations imposed by the CER and NIS2 directives upon critical infrastructure operators by means of collecting data from legacy systems and new sensors, improving communication infrastructures between stakeholders, and providing emergency response plans (Muñoz-Navarro et al.,, 2025). A further project seeks to develop a pan-European incident sharing platform (Skias et al.,, 2022). All of these three projects have been funded through the EU’s Horizon Europe programme.

In a somewhat similar context, it is worth mentioning a publication that designed a multi-layered security management platform for managing cloud computing infrastructures, edge computing, and IoT devices (Bocianiak et al.,, 2024). Another comparable design envisioned combining data from SCADA systems, security information and event management (SIEM) systems, and IoT devices, again pitching AI as the silver bullet (Jara et al.,, 2024). A further publication designed digital twins with the help of IoT devices (Coppolino et al.,, 2024). These designs are good examples because they demonstrate how the IoT context might be seen as being related to critical infrastructures—although IoT devices do not obviously belong to the NIS2’s categorization of critical entities, cloud computing is defined as a critical entity. A similar reasoning has been behind comprehensive legal analyses about the EU’s new regulatory impacts upon IoT devices (Chiara,, 2024; Chiara, 2022b, ). Despite these legal analyses and technical designs, it still remains generally unclear to which extent—if at all—the NIS2 directive applies in the IoT context. To this end, some publications have seen the CRA as a more relevant regulation in this context (Shaffique,, 2024). An analogous point has been raised with respect to metaverse, virtual reality, and augmented reality technologies (Wylde et al.,, 2023). All in all, these issues demonstrate difficulties in defining, demarcating, and conceptualizing critical infrastructures through technologies.

The difficulties can be related to the so-called interconnectedness problem in the critical infrastructure literature; many critical infrastructures depend on each other, opening a risk of cascading failures, among other things (Harašta,, 2018; Hurst and Shone,, 2024; Little,, 2002). The interconnectedness problem is seen also in a publication addressing smart cities, which were framed by connecting these to technological infrastructures and the transport, healthcare, public administration, and many other sectors (Horalek et al.,, 2024). The problem becomes even more convoluted once software is taken into account; not only are SCADA or situational awareness systems powered by software but practically all the critical entities listed in the NIS2 directive are dependent on software, and software too typically contains dependencies (Ruohonen et al.,, 2024). The difficulties can be also used to backup an argument that the EU’s conception of critical infrastructure is not entirely sectoral any more because cloud computing, the DNS, CDNs, and many related technologies are defined as critical entities in the NIS2 and CER directives. A similar argument has been raised in a publication addressing cloud computing in the NIS2 context. Although the NIS2 directive’s category of critical digital infrastructure was motivated by the policy-makers with not only its overall criticality but also with its dependencies, no details are available regarding how assessments and measurements were done (Walden and Michels,, 2024). This criticism aligns with a further critical argument that the policy-makers might have defined too many sectors as critical (Ruohonen,, 2024). Having said that, the SLR sample contains also several publications that are not explicitly related to any specific technology or sector. These publications deserve a brief elaboration too.

Related to the legal framings discussed in the previous section are further framings toward technical standards. In this regard, it can be noted that the NIS2’s recitals 58 and 79 motivate incident management, vulnerability coordination, threat analysis, and general cyber security measures with explicit mentions of the international ISO/IEC 30111, ISO/IEC 29147, and ISO/IEC 27000 series of standards. The new European NIS2 cooperation group is also tasked to exchange best practices and information related to standards according to Article 14(4)(c). Furthermore, Article 25 encourages the member states to comply with European and international standards when implementing cyber security risk management measures specified in Article 21. However, it can be noted that the NIS2 directive does not explicitly entail the development of specific European standards, which are an essential part of the CRA and conformance with it. With these notes, it is understandable that a couple of publications have discussed NIS2 in relation to standards. Among the standards discussed are the noted ISO/IEC standards (Krauze and Grabis,, 2024). In addition, the ISA/IEC 62443 standard and standards developed by the National Institute of Standards and Technology (NIST) in the United States have been discussed and used (Meagher and Dhirani,, 2024). These publications align with a more general take on assurance particularly with respect to software (Ellul et al.,, 2023). Standards and assurance are important topics for further evaluation work once the NIS2 directive has been fully implemented.

Finally, the SLR protocol captured three publications that do not fit well into the previous thematic categorizations. The first publication is about designing the so-called zero trust security model in a context involving national CSIRTs, security operations centers (SOCs), and data breaches (Bobbert and Timmermans,, 2024). In this regard, it is worth recalling that CSIRTs are the essential public sector organizations in the NIS2 directive, the CRA, and related EU laws, whereas SOCs are related to the CSOA law proposal. The second publication is about cyber security awareness, which is seen to be linked to the noted situational awareness technologies in the NIS2 context (Schaberreiter et al.,, 2022). The third publication is more about physical security; it discusses camouflaging critical infrastructures in order to prevent threats related to theft, sabotage, terrorism, and related human-driven endeavours (Wysocki,, 2024). Such threats and risks are a good way to end the review because they underline that cyber security is only a part of the overall security conundrum in today’s Europe.

4 Conclusion

The paper presented a systematic literature review on the new NIS2 directive. The directive is an important part in the EU’s regulatory cyber security framework. It addresses particularly the cyber security of critical infrastructures in Europe. According to the review presented, the increased complexity and regulatory fragmentation are visible also in the literature in a sense that many publications have framed and discussed the NIS2 directive in relation to numerous other EU laws. It seems reasonable to conclude that the overall judicial crux will motivate further work for years to come.

The publications reviewed have also discussed the NIS2 directive in various different contexts. Among these are traditional critical infrastructure contexts, such as those related to the energy and water sectors, industrial control and SCADA systems, and telecommunications. Many publications have also sought to design and develop new infrastructures and platforms for better information sharing and situational awareness. In addition, various technologies, whether IoT devices, AI, smart cities, or digital twins, have been discussed in relation to NIS2 alongside standards and miscellaneous cyber security topics. Given the eleven critical sectors considered in the NIS2 and CER directives, it seems again safe to assume that these sectors will motivate a lot of further work concentrating on particular contexts. For instance, to put aside an odd publication dealing with satellite communications, none of the publications reviewed discussed space technologies, which are certainly an interesting contextual area to study also from a cyber security perspective in the future. Nor was there a publication in the sample that would have focused on public administration as a critical entity.

In addition to these concluding remarks, six points can be raised about research gaps and topical areas that would require or benefit from further work. These six points should not be taken to imply that there would not be more; the NIS2 directive is a comprehensive law that likely opens also other further research possibilities.

First, it is worth revisiting the argument about the NIS and CER directives having expanded the scope of critical infrastructures. Both legal and more theoretical further research is warranted in this regard. A generic problem with expansions is well-recognized in the academic literature; terms such as conceptual expansion (Spinuzzi,, 2011) and conceptual stretching (Ruohonen,, 2021) have been used to elaborate the dangers involved with enlarged definitions; once almost everything belongs to a definition or a theoretical concept, the definition or concept starts to lose its qualifying characteristics. In other words: if almost everything is seen as critical, then not much is available to demarcate non-critical entities from critical entities. Here, the problem’s kernel can be seen to originate from the concept of criticality, and the EU and its regulations are far from being the only ones facing the problem (Ruohonen et al.,, 2024). As was discussed, further theoretically oriented work is required particularly regarding the EU’s traditional sectoral definition for critical infrastructures and its relation to the new digital infrastructure category present in the CER and NIS2 directives.

Second, it seems sensible to argue that risk management would deserve further contributions too in the NIS2 context. Although there is plenty of existing work in this area with respect to standards and technical solutions, the NIS2’s whole scope has not been addressed. In particular, the directive’s Article 21(2) mandates “an all-hazards approach” covering ten distinct risk management areas. These include traditional areas, such as risk analysis, incident handling, vulnerability coordination and disclosure, but also supply chain security, so-called cyber hygiene practices, authentication, encryption, human resources security, and even business continuity should be covered. Of these areas, supply chain risk management is particularly interesting as it is directly related to the interconnectedness problem and cascading failures (Sanders,, 2023). The all-hazards approach envisioned would also benefit from further work investigating and modeling how risks in the different areas are potentially connected to each other.

Third, none of the studies captured by the SLR protocol addressed or even discussed the databases and registries established and mandated by the NIS2 directive. Although only time will tell how these will function and what impact they will have, these can be seen as an important part of the directive in many ways. Thus, to begin with, the NIS2’s Article 12(2) introduces a new European vulnerability database. Once established and functional, this database requires evaluations and assessments already because of the well-known problems that have plagued vulnerability databases in general (Anwar et al.,, 2022; Nguyen and Massacci,, 2013). There are also opportunities for further work regarding potential international cooperation, interoperability between vulnerability databases, new vulnerability concepts brought by the CRA, and the effects of these upon vulnerability disclosure, coordination, and mitigation (Ruohonen and Timmers,, 2024). Then, to proceed, Article 27 in the NIS2 directive mandates registrations from all entities belonging to the digital infrastructure category to a centralized database managed at the EU-level. In addition to basic information, such as contact details, the entities must supply their Internet protocol address ranges. Furthermore, the subsequent Article 28 in the directive seeks to improve the security, stability, and resilience of the DNS by mandating the member states to collect registration data from not only TLD name registries but also from all conventional domain name registrations. Given the importance of domain name registration data in analyzing cyber attacks and resolving cyber crimes (Maroofi et al.,, 2020; Shi et al.,, 2018), this new obligation can be seen as particularly relevant in the NIS2’s database context.

Fourth, many of the publications reviewed operated in a context involving new technologies. In this context, it is worth recalling the publication that designed data collection from legacy systems. The reason is that many critical infrastructures either are legacy systems themselves or depend on legacy systems, which may increase cyber security risks and typically constrain the adoption of new technologies, including AI solutions (Hurst and Shone,, 2024; Maglaras et al.,, 2018). This point should not be taken as an explicit criticism about the publications reviewed themselves. Instead, it is more about the NIS2 directive itself, which, in its recitals 51 and 89, encourages the member states to adopt innovative technologies, including AI, to tackle cyber security threats, including with respect to critical infrastructure protection. Given such an encouragement, further research is required about the presumably difficult interplay between critical infrastructures, legacy systems, and new technologies.

Fifth, many publications reviewed also designed and envisioned large-scale information sharing and situational awareness infrastructures. In addition to the previous point, it is worth remarking the potential practical obstacles constraining the adoption and deployment of such infrastructures. There is a good reason for this remark: despite some progress, technical obstacles, including those related to standardization and interoperability, trust, and other related factors have constrained the sharing of cyber security information throughout the world (Ruohonen,, 2024; Skopik et al.,, 2016; Zibak and Simpson,, 2019). Further research is required about such obstacles potentially affecting the NIS2’s implementation particularly with respect to union-wide, pan-European information sharing and associated critical infrastructure protection.

Last, it is worth returning to the evaluation research already noted. While it is impossible to envision which particular areas will be especially relevant for evaluations, administration and enforcement are always relevant in the context of regulations. To this end, it seems again sensible to argue that the increased legal complexity and fragmentation will be felt also among public administrations, whether national or European. Administrative efficiency would thus likely offer a plausible research topic, whether examined by the means of surveys or interviews. Analogously to the GDPR’s administration and enforcement (Ruohonen and Hjerppe,, 2022), an alternative path would involve examining future administrative fines and other penalties from non-compliance. Here, it is worth mentioning that both the NIS2 directive and the CRA regulation entail potentially severe financial consequences from non-compliance. While fines, penalties, and non-compliance in general are essentially a negative way to approach regulations—nothing is said about compliance and good practices in general, they might still in the future reveal some particular bottlenecks potentially affecting the private sector operators of the Europe’s critical infrastructures. With these points in mind, further work, perhaps in a form of university-industry collaborations, is required on the means by which compliance can be reasonably gained and proved.

References

  • Almagro, (2023) Almagro, C. C. (2023). NIS2 Impact on Electronic Communications Networks Providers. In Proceedings of the International Workshop on Fiber Optics on Access Networks (FOAN 2023), pages 16–16, Gent. IEEE.
  • Anwar et al., (2022) Anwar, A., Abusnaina, A., Chen, S., Li, F., and Mohaisen, D. (2022). Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses. IEEE Transactions on Dependable and Secure Computing, 19(6):4255–4269.
  • Bobbert and Timmermans, (2024) Bobbert, Y. and Timmermans, T. (2024). Zero Trust and Compliance with Industry Frameworks and Regulations: A Structured Zero Trust Approach to Improve Cybersecurity and Reduce the Compliance Burden. In Proceedings of the Future of Information and Communication Conference (FICC 2024), pages 650–667, Berlin. Springer.
  • Bocianiak et al., (2024) Bocianiak, K., Pawlikowski, T., Podlasek, A., Wary, J.-P., and Wierzbowski, J. (2024). Challenges for Continuous, Provable Security Service Level Agreement Management in Computing Continuum. IEEE Access, 12:152097–152107.
  • Casaril and Galletta, (2024) Casaril, F. and Galletta, L. (2024). Securing SATCOM User Segment: A Study on Cybersecurity Challenges in View of IRIS2. Computers & Security, 140:103799.
  • (6) Chiara, P. G. (2022a). The Cyber Resilience Act: the EU Commission’s Proposal for a Horizontal Regulation on Cybersecurity for Products With Digital Elements: An Introduction. International Cybersecurity Law Review, 3:255–272.
  • (7) Chiara, P. G. (2022b). The IoT and the New EU Cybersecurity Regulatory Landscape. International Review of Law, Computers & Technology, 36(2):118–137.
  • Chiara, (2024) Chiara, P. G. (2024). The Internet of Things and EU Law: Cybersecurity, Privacy and Data Protection Challenges. Springer, Cham.
  • Coppolino et al., (2024) Coppolino, L., Nardone, R., Petruolo, A., Romano, L., and Souvent, A. (2024). Exploiting Digital Twin Technology for Cybersecurity Monitoring in Smart Grids. In Proceedings of the 18th International Conference on Availability, Reliability and Security (ARES 2024), pages 1–10, Vienna. ACM.
  • de Vasconcelos Casimiro, (2023) de Vasconcelos Casimiro, S. (2023). Cyber Operations Threatening the European Union and Its Member States: The Rise of the European Union as a Cyber Defence Actor. In Vicente, D. M., de Vasconcelos Casimiro, S., and Chen, C., editors, The Legal Challenges of the Fourth Industrial Revolution: The European Union’s Digital Strategy, pages 211–232. Springer, Cham.
  • Eckhardt and Kotovskaia, (2023) Eckhardt, P. and Kotovskaia, A. (2023). The EUs Cybersecurity Framework: The Interplay Between the Cyber Resilience Act and the NIS 2 Directive. International Cybersecurity Law Review, 4:147–164.
  • Ellul et al., (2023) Ellul, J., Pace, G. J., Revolidis, I., and Schneider, G. (2023). When Is Good Enough Good Enough? On Software Assurances. ERA Forum, 23:337–360.
  • Fisch and Block, (2018) Fisch, C. and Block, J. (2018). Six Tips for Your (Systematic) Literature Review in Business and Management Research. Management Review Quarterly, pages 103–106.
  • Franke and Brynielsson, (2014) Franke, U. and Brynielsson, J. (2014). Cyber Situational Awareness – A Systematic Review of the Literature. Computers & Security, 46:18–31.
  • Giunta et al., (2025) Giunta, G., Stira, C., Modic, J., Ĉaleta, D., Semertzidis, T., Zahariadis, T., and Skianis, C. (2025). Improved Resilience of Critical Infrastructures Against Large-Scale Transnational and Systemic Risks. In Gkotsis, I., Kavallieros, D., Stoianov, N., Vrochidis, S., Diagourtas, D., and Akhgar, B., editors, Paradigms on Technology Development for Security Practitioners, pages 169–182. Springer.
  • Gounari et al., (2024) Gounari, M., Stergiopoulos, G., Pipyros, K., and Gritzalis, D. (2024). Harmonizing Open Banking in the European Union: An Analysis of PSD2 Compliance and Interrelation with Cybersecurity Frameworks and Standards. International Cybersecurity Law Review, 5:79–120.
  • Grotto and Schallbruch, (2021) Grotto, A. J. and Schallbruch, M. (2021). Cybersecurity and the Risk Governance Triangle: Cybersecurity Governance From a Comparative U.S.–German Perspective. International Cybersecurirty Law Review, 2:77–92.
  • Harašta, (2018) Harašta, J. (2018). Legally Critical: Defining Critical Infrastructure in an Interconnected World. International Journal of Critical Infrastructure Protection, 21:47–56.
  • Henze et al., (2024) Henze, M., Ortmann, M., Vogt, T., Ugus, O., Hermann, K., Nohr, S., Lu, Z., Michaelides, S., Massonet, A., and Schmitt, R. H. (2024). Towards Secure 5G Infrastructures for Production Systems. In Proceedings of the Applied Cryptography and Network Security Workshops, pages 198–203, Abu Dhabi. Springer.
  • Horalek et al., (2024) Horalek, J., Otcenaskova, T., Sobeslav, V., and Tucnik, P. (2024). A Business Process and Data Modelling Approach to Enhance Cyber Security in Smart Cities. In Proceedings of the 9th EAI International Conference on Nature of Computation and Communication (ICTCC 2023), pages 70–84, Ho Chi Minh City. Springer.
  • Hurst and Shone, (2024) Hurst, W. and Shone, N. (2024). Critical Infrastructure Security: Cyber-Threats, Legacy Systems and Weakening Segmentation. In Tekinerdogan, B., Akşit, M., Catal, C., Hurst, W., and Alskaif, T., editors, Management and Engineering of Critical Infrastructures, pages 265–286. Academic Press, Amsterdam.
  • Jara et al., (2024) Jara, A., Martinez, I. G., and Sanchez, J. S. (2024). Cybersecurity Resilience Act (CRA) in Practice for IoT Devices: Getting Ready for the NIS2. In Proceedings of the IEEE Smart Cities Futures Summit (SCFC 2024), pages 56–60, Marrakech. IEEE.
  • Katulić et al., (2024) Katulić, F., Groŝ, S., Sumina, D., and Erceg, I. (2024). Enhancing Industrial Automation and Control Systems Cybersecurity Using Endpoint Detection and Response Tools. In Proceedings of the 21st International Conference on Smart Technologies & Education (STE 2024), pages 186–197, Helsinki. Springer.
  • Kitchenham et al., (2009) Kitchenham, B., Brereton, O. P., Budgen, D., Turner, M., Bailey, J., and Linkman, S. (2009). Systematic Literature Reviews in Software Engineering – A Systematic Literature Review. Information and Software Technology, 51(1):7–15.
  • Krauze and Grabis, (2024) Krauze, B. and Grabis, J. (2024). A Conceptual Model of Digital Immune System to Increase the Resilience of Technology Ecosystems. In Proceedings of the 18th International Conference on Research Challenges in Information Science (RCIS 2024), pages 82–96. Springer, Guimarães.
  • Lehto, (2022) Lehto, M. (2022). Cyber-Attacks Against Critical Infrastructure. In Lehto, M. and Neittaanmäki, P., editors, Cyber Security: Critical Infrastructure Protection, pages 3–42. Springer, Cham.
  • Little, (2002) Little, R. G. (2002). Controlling Cascading Failure: Understanding the Vulnerabilities of Interconnected Infrastructures. Journal of Urban Technology, 9(1):109–123.
  • Maglaras et al., (2018) Maglaras, L. A., Kim, K.-H., an Mohamed Amine Ferrag, H. J., Rallis, S., Fragkou, P., Maglaras, A., and Cruz, T. J. (2018). Cyber Security of Critical Infrastructures. ICT Express, 4(1):42–45.
  • Malone and Walton, (2023) Malone, M. and Walton, R. (2023). Comparing Canada’s Proposed Critical Cyber Systems Protection Act with Cybersecurity Legal Requirements in the EU. International Cybersecurity Law Review, 4:165–196.
  • Maroofi et al., (2020) Maroofi, S., Korczyński, M., Hesselman, C., Ampeau, B., and Duda, A. (2020). COMAR: Classification of Compromised Versus Maliciously Registered Domains. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), pages 607–623, Genoa. IEEE.
  • Martino, (2024) Martino, L. (2024). Cybersecurity in Italy: Governance, Policies and Ecosystem. Springer, Cham.
  • Meagher and Dhirani, (2024) Meagher, H. and Dhirani, L. L. (2024). Cyber-Resilience, Principles, and Practices. In Qureshi, K. N., Newe, T., Jeon, G., and Chehri, A., editors, Cybersecurity Vigilance and Security Engineering of Internet of Everything, pages 57–74. Springer, Cham.
  • Mersni et al., (2024) Mersni, A., Novikau, A., Koczan, M., and Shobole, A. A. (2024). Protect the EU’s Digital Energy Infrastructure Against Cyberthreats Through Advanced Technologies, Human Vulnerability Mitigation, and Ethical Practices. In Crowther, A., Foulds, C., Robison, R., and Gladkykh, G., editors, Strengthening European Energy Policy: Governance Recommendations From Innovative Interdisciplinary Collaborations, pages 115–128. Palgrave Macmillan, Cham.
  • Mikac, (2023) Mikac, R. (2023). Protection of the EU’s Critical Infrastructures: Results and Challenges. Applied Cybersecurity & Internet Governance, 2(1):1–25.
  • Möller, (2023) Möller, D. P. F. (2023). Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices. Springer, Cham.
  • Muñoz-Navarro et al., (2025) Muñoz-Navarro, E., Hernández-Montesinos, J. J., Marqués-Moreno, A., Papadopoulos, L., Karteris, A., and Demestichas, K. (2025). PRAETORIAN: From Protection to Resilience of Critical Infrastructures. In Gkotsis, I., Kavallieros, D., Stoianov, N., Vrochidis, S., Diagourtas, D., and Akhgar, B., editors, Paradigms on Technology Development for Security Practitioners, pages 155–168. Springer.
  • Nguyen and Massacci, (2013) Nguyen, V. H. and Massacci, F. (2013). The (Un)Reliability of NVD Vulnerability Versions Data: An Empirical Experiment on Google Chrome Vulnerabilities. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS 2013), pages 493–498. ACM.
  • Ruohonen, (2021) Ruohonen, J. (2021). The Treachery of Images in the Digital Sovereignty Debate. Minds and Machines, 31:439–456.
  • Ruohonen, (2024) Ruohonen, J. (2024). The Incoherency Risk in the EU’s New Cyber Security Policies. In Proceedings of the 23rd IFIP Conference on e-Business, e-Services, and e-Society (I3E 2024), pages 284–295, Heerlen. Springer.
  • Ruohonen et al., (2024) Ruohonen, J., Choudhary, G., and Alami, A. (2024). An Overview of Cyber Security Funding for Open Source Software. Archived manuscript, available online in December: https://arxiv.org/abs/2412.05887.
  • Ruohonen and Hjerppe, (2022) Ruohonen, J. and Hjerppe, K. (2022). The GDPR Enforcement Fines at Glance. Information Systems, 106:101876.
  • Ruohonen and Timmers, (2024) Ruohonen, J. and Timmers, P. (2024). Vulnerability Coordination Under the Cyber Resilience Act. Archived manuscript, available online: https://arxiv.org/abs/2412.06261.
  • Sanders, (2023) Sanders, I. T. (2023). Risk Assessment and Identification Methodology for the Defense Industry in Times of Crisis: Decision-Making. In Balomenos, K. P., Fytopoulos, A., and Pardalos, P. M., editors, Handbook for Management of Threats: Security and Defense, Resilience and Optimal Strategies, pages 103–123. Springer, Cham.
  • Schaberreiter et al., (2022) Schaberreiter, T., Quirchmayr, G., and Papanikolaou, A. (2022). A Case for Cybersecurity Awareness. In Andriessen, J., Schaberreiter, T., Papanikolaou, A., and Röning, J., editors, Cybersecurity Awareness, pages 1–19. Springer, Cham.
  • Schaberreiter et al., (2023) Schaberreiter, T., Wieser, C., Koumpis, A., Luidold, C., Andriessen, J., Cappiello, C., and Röning, J. (2023). Addressing Critical Issues and Challenges for Dynamic Cybersecurity Management in Organisations and Local / Regional Networks: The CS-AWARE-NEXT Project. In Proceedings of the Fifth International Conference on Transdisciplinary AI (TransAI 2023), pages 232–236, Laguna Hills. IEEE.
  • Schmitz-Berndt and Chiara, (2022) Schmitz-Berndt, S. and Chiara, P. G. (2022). One Step Ahead: Mapping the Italian and German Cybersecurity Laws Aainst the Proposal for a NIS2 Directive. International Cybersecurity Law Review, 3:289–311.
  • Shaffique, (2024) Shaffique, M. R. (2024). Cyber Resilience Act 2022: A Silver Bullet for Cybersecurity of IoT Devices or a Shot in the Dark? Computer Law & Security Review, 54:106009.
  • Shi et al., (2018) Shi, Y., Chen, G., and Li, J. (2018). Malicious Domain Name Detection Based on Extreme Machine Learning. Neural Processing Letters, 48:1347–1357.
  • Skias et al., (2022) Skias, D. D., Zahariadis, S. S. T. T. T., Voulkidis, A. A., and Velivassaki, T.-H. (2022). Demonstration of Alignment of the Pan-European Cybersecurity Incidents Information Sharing Platform to Cybersecurity Policy, Regulatory and Legislative Advancements. In Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES 2022), pages 1–8, Vienna. ACM.
  • Skopik et al., (2016) Skopik, F., Settanni, G., and Fiedler, R. (2016). A Problem Shared is a Problem Halved: A Survey on the Dimensions of Collective Cyber Defense Through Security Information Sharing. Computers & Security, 60:154–176.
  • Spinuzzi, (2011) Spinuzzi, C. (2011). Losing by Expanding: Corralling the Runaway Object. Journal of Business and Technical Communication, 25(4):449–486.
  • Vandezande, (2024) Vandezande, N. (2024). Cybersecurity in the EU: How the NIS2-Directive Stacks Up Against Its Predecessor. Computer Law & Security Review, 52:105890.
  • Veigurs et al., (2024) Veigurs, M., Lasmanis, T., and Romanovs, A. (2024). IT Governance in Critical Sectors: Towards the NIS2 Implementation. In Proceedings of the IEEE 65th International Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS 2024), pages 1–7, Riga. IEEE.
  • Walden and Michels, (2024) Walden, I. and Michels, J. D. (2024). Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers. In de Andrade, F. A. C. P., Freitas, P. M. F., and de Sousa Covelo de Abreu, J. R., editors, Legal Developments on Cybersecurity and Related Fields, pages 9–38. Springer, Cham.
  • Wanecki et al., (2023) Wanecki, P., Jaŝek, R., and Drofova, I. (2023). The Contribution of the European NIS2 Directive to the Design of the Cyber Security Model. In Proceedings of the nternational Conference on Information and Digital Technologies (IDT 2023), pages 149–154, Zilina.
  • Wylde et al., (2023) Wylde, V., Prakash, E., Hewage, C., and Platts, J. (2023). Post-Covid-19 Metaverse Cybersecurity and Data privacy: Present and Future Challenges. In Hewage, C., Rahulamathavan, Y., and Ratnayake, D., editors, Data Protection in a Post-Pandemic Society: Laws, Regulations, Best Practices and Recent Solutions, pages 1–48. Springer, Cham.
  • Wysocki, (2024) Wysocki, K. (2024). Protecting Critical Infrastructure: Methods and Techniques. In Kowalkowski, S., Kaźmierczak, D., and Paul, S., editors, Civil Protection Systems and Disaster Governance: A Cross-Regional Approach, pages 41–59. Palgrave Macmillan, Cham.
  • Zibak and Simpson, (2019) Zibak, A. and Simpson, A. (2019). Cyber Threat Information Sharing: Perceived Benefits and Barriers. In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES 2019), pages 1–9, Canterbury. ACM.