In March members of the European Parliament voted through a revised draft of the Network and Information Security Directive (the “NISD”). The first draft of the NISD was released by the European Council in early 2013, with the aim of harmonising cyber security across the EU Member States through introducing common minimum standards of network and information security. However, the scope of the application of the draft NISD was criticised as it was to apply to “enablers of key internet services” such as cloud providers, social networks and e-commerce platforms.

The revised draft of the NISD that was passed by the European Parliament scales back the application of the directive, such that it now applies to private sector organisations “the disruption or destruction of which would have a significant impact in a Member State”. This is defined as including companies operating in the following sectors:

  • Energy;
  • Transport;
  • Banking and financial market infrastructures;
  • Food Supply;
  • Internet Exchange Points; and
  • Health.

The new definition therefore excludes the application of the NISD to technology service providers that were caught in the original draft.

For those private sector organisations that are still caught by the definition, the revised draft of the NISD retains the two core principles that underpinned the EU Council’s draft, which required the relevant private sector companies to:

  • Implement security measures to “guarantee a level of security appropriate to the risk presented”; and
  • Notify National Competent Authorities of any "incidents having a significant impact on the security of the core services they provide”.

Next Steps

Whilst progress has been made in relation to the scope of the NISD, it remains unclear how it will interact with other European regulation in this area, such as the new EU Data Protection Regulation and, in respect of telecommunications companies, the existing ePrivacy Directive. It is hoped that this will be resolved as the negotiations on the common approach to the NISD across Member State are conducted by the European Council, ahead of the deadline for adoption of the NISD in December 2014.

Whilst the scope of the application of the NISD has been scaled back, it is clear that the issue of cyber security applies to all businesses. Even those in industries that are outside of the scope of the NISD will therefore be watching with interest to  see how the NISD is implemented and the lessons that are learned.