The Council of the European Union adopted the EU Network and Information Security (NIS) Directive (the ‘Directive’) 17 May, ready for final adoption by the European Parliament. The Directive, initially proposed in 2013, has been progressing through the EU legislative procedure for some time. As we reported in December last year, the Directive covers the handling of attacks on digital systems and requires certain organisations that suffer serious cyber attacks to notify authorities in the member state in which they are based.

The Directive is expected to enter into force in August, granting member states a 21-month period to adopt the provisions therein. It is suspected therefore that the Directive is likely to take effect from May 2018.

The NIS Directive was drafted to satisfy the following aims and objectives:

  • To improve cooperation between member states on the issue of cybersecurity
  • To improve cybersecurity capabilities in member states
  • To ensure that operators of essential services in critical sectors (e.g., banking, health care, energy and transport), and key digital service providers (e.g., online marketplaces, search engines and cloud services), take appropriate security measures and report cyber security incidents to the national authorities
  • To require each EU country to designate one or more national authorities
  • To establish an EU-wide strategy for dealing with cyber threats

The Directive will apply to companies within ‘critical sectors’ and will require them to notify national authorities of any cyber attack that has “a significant impact on the continuity of the essential services they provide.” Likewise, digital service providers would have to notify where they experience “a substantial impact on the provision of a service” offered in the EU. The Directive requires transparency from organisations on digital security issues, and corresponds with the concept of accountability that runs through the recently adopted General Data Protection Regulation.