On December 7, the European Parliament and the Luxembourg Presidency of the EU Council of Ministers (Council) announced that they have reached agreement on the text of the proposed new EU Cybersecurity Directive (Directive).

While the agreed (and likely final) text of the Directive has not yet been published, this announcement marks a significant milestone in the passage of the Directive into European law. The European Commission (EC) launched a public consultation on a new EU-wide strategy for network and information security in July 2012, finding that 57 percent of respondents had experienced security problems, data breaches, and/or hacking during the previous year. Subsequently, on February 7, 2013, the EC published proposed text for the new Directive and proposals for a new EU cybercrime strategy. The proposals were debated at length during the last 34 months and passed through the European Union’s “ordinary legislative procedure,” resulting in a full agreement on the final text in both Parliament and the Council.

Based on prior iterations, it is anticipated the Directive will include:

  • a requirement for EU member states to adopt a national strategy for network and information security;
  • measures requiring EU member states to designate a national authority to prevent, handle and respond to network information security risks and incidents;
  • the establishment of a co-operation network between the EC and EU national authorities, including an “early warning system” for cybercrime incidents—particularly when they are large scale incidents or have a cross-border element;
  • requirements for national authorities to publish information about ongoing early warnings on a dedicated website, as well as maintaining a secure information-sharing infrastructure to allow for the exchange of sensitive and confidential information within the co-operation network; and
  • measures requiring “public administrations” and “market operators” to manage security risks and report security incidents to their national authority. A “market operator” will be defined as a “provider of information society services that enable the provision of other information society services” (including e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services and application stores) and a “market operator” will include providers of critical infrastructure essential for the “maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health.”

The final text should be published on December 18 for formal approval by EU member states. They will have 21 months to implement the Directive into their respective national laws, meaning that the effective date for the Directive should be in September or October 2017.

The press releases from EU authorities on the new Directive are available online from Parliament, the EC and the Council.