On December 7, 2015, European negotiators reached an agreement on the draft text of the Network and Information Security Directive (the “NIS Directive”), the first pan-EU rules on cybersecurity. The NIS Directive was first proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union and aims to ensure a uniform level of cybersecurity across the EU.
The NIS Directive requires transport and energy companies, as well as online marketplaces, search engines and cloud providers to provide a robust security for their digital infrastructure. In addition, companies in these sectors also will have to report serious breaches to national authorities.
The NIS Directive also aims to foster cooperation among EU Member State authorities by setting up a strategic cooperation group to exchange information and best practices, draw up guidelines, and assist Member States in building cybersecurity capacity. In addition, a network of Computer Security Incident Response Teams will be established and implemented by each Member State to discuss and identify potential coordinated responses to cross-border security incidents.
The Parliament’s Internal Market Committee and the Council of the European Union Committee of Permanent Representatives are expected to approve the agreed text around December 18, 2015. After official publication of the text, EU Member States will have 21 months to transpose the NIS Directive into national law.