Skip to content

Cybersecurity: New EU rules

An obligation to report significant cybersecurity incidents, and appropriate and proportionate technical and organisational risk management measures are key requirements of a new EU directive which will cover many businesses currently not subject to similar rules. Businesses that are caught by the new rules will want to review their policies for preventing, managing and responding to a cybersecurity breach.  

The Networks and Information Systems Directive (the NIS Directive) will enter into force in early 2016, and Member States will have up to 21 months from that date to enact national implementing legislation and bring those new rules into force. The fact that the legislation is in the form of a directive means there is scope for variation between Member States.

The NIS Directive imposes specific obligations on both public and private "operators of essential services". Each Member State will identify those entities which meet the definition of "operator of essential services" with an establishment in their territory.

Credit institutions, operators of trading venues and central counterparties (all as defined under EU legislation) are listed in an annex to the NIS Directive as the types of entities that might be "operators of essential services".

Competent authorities may verify compliance and, where necessary, issue binding instructions or take other remedial action such as notifying the public of cybersecurity incidents that have occurred. National laws may be invoked to apply sanctions for non-compliance.

Legal and Regulatory Risk Note