Skip to content
EU Cybersecurity Directive

EU Cybersecurity Directive

Blog Post
05 January 2016
Author
Parker Nigel
Nigel Parker

Partner

London

Browse this blog post

On 18 December 2015, the agreed text of the Network and Information Security Directive (the NIS Directive) was released. With cybersecurity firmly established as a key business risk, the introduction of specific laws in this area across the European Union will have a significant impact. Our alert provides an overview of the new legislation and assesses what impacts the NIS Directive will have on our clients.

The aim of the NIS Directive is to ensure a high common level of security of networks and information systems (or cybersecurity) across the EU. The Directive establishes minimum security and incident notification requirements for:

- operators of “essential services”– this includes those relating to energy, transport, banking, financial market infrastructure, health and drinking water distribution and supply, as well as certain digital infrastructure (although telecommunication service providers have been expressly carved out as current EU legislation requires these businesses to report significant disruptions already); and

- “digital service providers” – this covers online marketplaces, online search engines and cloud computing services. Notably, social networks are not caught (although they had appeared in earlier drafts of the Directive).

The Directive applies to businesses established in a Member State and importantly, in respect of digital service providers, those providing services within a Member State.

The Directive also requires each Member State to enact national legislation which will enable them to monitor and, if required, enforce a minimum standard of cybersecurity upon such businesses. A number of centralised bodies are to be created within each Member State to facilitate cross-border cooperation and offer guidance to the relevant businesses which will be obliged to report any incidents, such as service disruption or a breach of security, which may have a significant effect on the continuity of the service provided.

It now only remains for the text to be formally adopted and published in the Official Journal of the European Union. The NIS Directive will enter into force in early 2016, and Member States will have up to 21 months from that date to enact national implementing legislation and bring those new rules into force.

Related blog topics

Cookies on our website

We use cookies on our site to remember you, show you content we think you will like and help you to use the site. For more details, please see our cookies policy.

Click 'Accept' to consent to cookies other than strictly necessary cookies or 'Reject' if you do not. You can change your mind at any time by visiting our cookie policy page.

Accept cookies
Reject cookies