On 6 July 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”). The NIS Directive has been a key element of the European Commission’s Cyber Security Strategy since its launch in 2013; it is the first ever EU-wide legislation specifically on cyber security.
The NIS Directive requires each Member State to adopt a national strategy for the security of network and information systems, setting out, amongst other things, cooperation channels between the public and private sectors. Member States will have to designate competent authorities to monitor implementation of the NIS Directive and to respond to cyber security incidents and disseminate information about them. Several Member States had begun this process already.
The NIS Directive also seeks to promote EU-wide strategic cooperation and information exchange through a network of relevant authorities and the European Union Agency for Network and Information Security (known as ENISA).
For businesses, the NIS Directive applies to digital service providers - such as online marketplaces, cloud computing services and search engines - and operators of “essential services” within critical sectors such as energy, transportation, banking, financial markets infrastructure, health, water and digital infrastructure. Affected businesses will have new risk management and incident reporting obligations, but much will turn upon the details of national implementation.
The NIS Directive is expected to enter force in August 2016. Member States will then have 21 months to implement it into their national laws and a further six months to identify national operators of essential services based on a set of agreed common criteria.