The Network and Information Security Directive has been adopted by the Council of the European Union. As previously reported here, the Directive was proposed by the Commission in 2013 as part of a strategy to respond effectively to cyber threats and ensure a high common level of cybersecurity across the EU by:

  • improving Member States’ national cybersecurity capabilities through setting out concrete policy and regulatory measures to maintain a level of network and information security.
  • requiring companies in critical sectors – such as energy, transport, banking and health – as well as key Internet services to adopt risk management practices and report major incidents to the national authorities.
  • improving cooperation between Member States, and between public and private sector bodies against risks and incidents affecting network and information systems.

The Directive is set to impact on a wide range of organisations including businesses in sectors such as energy, transport, health and financial services. In addition, some internet services providers, such as online marketplaces, search engines and cloud service providers will also have to ensure the safety of their infrastructure.

The Directive must next be approved by the European Parliament. Once approved, it is expected to enter into force in August 2016 and thereafter Member States will have 21 months to adopt the necessary national provisions.

With implementation of the Directive approaching, businesses in impacted sectors should urgently review their information security resources, policies and procedures to prepare for the new law.