On 17 May 2016, the EU Council adopted its position at first reading of the Network and Information Security Directive (NIS Directive). First proposed by the European Commission in 2013, the Directive has been designed to bolster cooperation between the Member States on cybersecurity issues. The NIS requires each Member State to formulate a strategy to deal with cyber threats, and assign responsibility to one or more competent authority to handle the security of network and information systems issues. It will impose security obligations on “operators of essential services” in critical sectors such as energy, transport, banking, health and water supply, and on “digital service providers”. These providers will be obliged to take active steps to manage cyber risks and report major security breaches to the relevant competent authority. The NIS Directive now needs to be approved by the European Parliament. It is expected to enter into force in August 2016, but thereafter Member States will have 21 months to adopt the necessary national provisions and then 6 months to identify operators of essential services.