In summer 2016, the EU adopted its directive on the security of network and information systems (NIS directive). EU member states must transpose the directive into their national law by May 2018. The core provisions of the directive put pressure on European companies: Operators of critical infrastructures must implement cybersecurity requirements and report cyber attacks. Moreover, the directive covers major digital services. Online marketplaces, search engines and cloud services must fulfil similar requirements. Germany has been at the forefront of implementing the NIS directive. Even before the directive was passed by the European Parliament, Germany has adopted the first IT security law, which is close to the European provisions, and sets up cybersecurity requirements for critical infrastructures and digital services. However, NIS directive and its national implementations are just a part of the evolving cyber regulation in Europe. Sectorial regulation is spreading, too. Martin Schallbruch performs an analysis of the problems and opportunities of the regulatory rush in European cybersecurity. Martin Schallbruch is a Senior Researcher for Cyber Innovation and Cyber Regulation at the European School of Management and Technology, Berlin. For more than 10 years, he was a director-general in the German federal government, responsible for digital strategy and cybersecurity.