On 7 December 2015, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers reached an informal agreement on common rules to strengthen European cyber security via the Network Information Security (NIS) directive.

The aim of the directive. The directive is a step towards a more coordinated approach towards cyber security in Europe. The provisionally-agreed text advocates increased cooperation between member states and enhanced mandatory security requirements for infrastructure operators and digital service providers. 

It is likely that the directive will be followed shortly by the General Data Protection Regulation (GDPR) - EU Commission President Juncker reaffirmed the “swift adoption” of the directive and GDPR as a priority in September 2015. We also hear from our Regulatory & Public Affairs team in Brussels that the negotiators are confident that the trilogue meeting on 15 December could be the final one for the GDPR.

Increased cooperation between member states. Each member state will be required to designate one or more national authorities to deal with cyber security and set out a strategy dealing with cyber matters. An EU-level cooperation group will also be created to support strategic cooperation and the exchange of best practices amongst member states. A network of national computer security incident response teams (CSIRTs) will also be set up to promote operational cooperation.

Enhanced security requirements for companies affected by the directive. Companies who fall under the following definitions will be directly captured by the directive:

  • “Critical infrastructure operators”, including companies operating in the energy, transport, banking, financial market infrastructures, healthcare, water and digital infrastructure sectors.
  • “Digital service providers”, including all operators providing e-commerce platforms, search engines and cloud services.

Critical infrastructure operators and digital service providers will be subject to two different regimes. However, both sets of operators will be required to take measures to manage cyber risks and report major security incidents. 

How the NIS directive will become law. The informal agreement must be confirmed by member states. The presidency will present the agreed text for approval at the Permanent Representatives Committee (Coreper) on 18 December 2015. The provisionally-agreed text will then require the approval of the Internal Market Committee. To conclude the procedure, formal adoption by both the Council and Parliament is required. The directive will then be published in the Official Journal of the European Union several weeks later.

Member state deadlines. Once the draft directive has been formally adopted, member states will have 21 months from the directive’s entry into force to adopt the necessary national provisions. Following this period, they will have a further six months to identify their operators of essential services. In parallel, sector specific standards will be developed in collaboration with ENISA. 

Meanwhile the German legislature has forged ahead with its own IT Security Act (the Act) adopted in July this year. The Act introduces additional cyber security requirements, including enhanced ISO standards, for companies operating in the energy sector. The Act also captures companies from the following sectors: finance, healthcare, transport, food, water, internet service and telecoms, as well as certain important insurers. Specific standards for these sectors will be published in the near future (they are being developed by the relevant Germany industry associations).

Next steps for affected companies. Companies affected might wish to lobby their national parliaments - either directly or via trade associations - to influence how the directive is implemented nationally. Alternatively, tell us your views on (i) the standards to be applied and/or (ii) how the directive should be implemented - and we can convey your views to relevant legislators.