EU- wide cybersecurity rules adopted by the Council
On 17 May 2016, the EU Council officially adopted at first reading the Network Information Security
Directive ("NIS Directive"), which is the first EU-wide legislation on cyber security and complements
the General Data Protection Regulation.
The NIS Directive will increase cooperation between Member States on the crucial issue of
cybersecurity. It lays down security obligations for operators of essential services in critical sectors
such as energy, transport, health and finance, as well as for digital services' providers (services such
as online marketplaces, search engines and cloud services). Each EU country will also be required to
designate one or more national authorities and to establish a strategy for dealing with cyber threats.
Each Member State will determine the applicable sanctions for non-compliance with the Directive.
To conclude the procedure, the legal act must still be approved by the European Parliament at
second reading. The NIS Directive is expected to enter into force in August 2016. After that, every EU
Member State will have 21 months (i.e., until May 2018) to transpose it into national law and an
additional six months (i.e., until November 2018) to identify which 'operators of essential services' fall
within the Directive’s scope. Nevertheless, businesses affected should be getting ready now.
For more information, please contact Raul Rubio, Patricia Perez, Rosario Alvarez, Ignacio Vela,
Alvaro Ubeda or Cristina Monereo.