On Monday, the European Parliament, Council and Commission came to an agreement on the Network and Information Security (NIS) Directive.   

The NIS Directive is the first pan-European set of cyber security rules and aims to ensure a high common level of cyber security across Member States.  Each Member State will be required to designate a national competent authority to ensure compliance with the new Directive and be responsible for handling and responding to cyber security incidents.  Key changes introduced by the Directive are new security and notification requirements for companies in certain sectors.  This will affect companies who operate “essential services” (e.g. energy suppliers, banks and healthcare providers) and also “digital service providers” (e.g. search engines, cloud computing services, online marketplaces).  

So what’s next?  The text will have to be formally approved by the European Parliament and Council.  Once approved, the UK and other Member States will then have 21 months to implement the Directive into national law. 

For further details, please see the press release here.