EU Cybersecurity Directive
Browse this blog post
On 18 December 2015, the agreed text of the Network and Information Security Directive (the NIS Directive) was released. With cybersecurity firmly established as a key business risk, the introduction of specific laws in this area across the European Union will have a significant impact. Our alert provides an overview of the new legislation and assesses what impacts the NIS Directive will have on our clients.
The aim of the NIS Directive is to ensure a high common level of security of networks and information systems (or cybersecurity) across the EU. The Directive establishes minimum security and incident notification requirements for:
- operators of “essential services”– this includes those relating to energy, transport, banking, financial market infrastructure, health and drinking water distribution and supply, as well as certain digital infrastructure (although telecommunication service providers have been expressly carved out as current EU legislation requires these businesses to report significant disruptions already); and
- “digital service providers” – this covers online marketplaces, online search engines and cloud computing services. Notably, social networks are not caught (although they had appeared in earlier drafts of the Directive).
The Directive applies to businesses established in a Member State and importantly, in respect of digital service providers, those providing services within a Member State.
The Directive also requires each Member State to enact national legislation which will enable them to monitor and, if required, enforce a minimum standard of cybersecurity upon such businesses. A number of centralised bodies are to be created within each Member State to facilitate cross-border cooperation and offer guidance to the relevant businesses which will be obliged to report any incidents, such as service disruption or a breach of security, which may have a significant effect on the continuity of the service provided.
It now only remains for the text to be formally adopted and published in the Official Journal of the European Union. The NIS Directive will enter into force in early 2016, and Member States will have up to 21 months from that date to enact national implementing legislation and bring those new rules into force.