On July 19, the final text of an EU directive concerning measures for a high common level of security of network and information systems within the European Union (EU) (referred to as the Cybersecurity Directive) was published in the Official Journal of the EU.
As noted in our previous Corporate & Financial Weekly Digest edition of May 20, 2016, the Cybersecurity Directive establishes an EU-wide framework for operators of essential services (including banks and market infrastructure providers) and digital services providers (including online marketplaces, online search engines and cloud computing). Entities covered by the Cybersecurity Directive will be required, at a minimum, to implement organizational measures to prevent, minimize and manage threats to their security networks and information systems. Under the Cybersecurity Directive, EU member states will also be required to: 1) establish a national cybersecurity strategy; 2) designate a single point of contact for tasks related to cybersecurity; and 3) identify the operators of essential services established in their jurisdictions by November 9, 2018, among other obligations.
EU member states have until May 9, 2018 to transpose the Cybersecurity Directive into their national laws (with those laws to be applied from May 10, 2018). As a consequence, the jurisdictional scope of the Cybersecurity Directive with respect to operators of essential services (including non-EU entities) is not yet confirmed and will depend on the national measures implemented by each EU member state.
It is noteworthy that non-EU service providers with clients in the European Union will be required by the Cybersecurity Directive to designate a representative in the EU and will be deemed to be under the jurisdiction of the EU member state in which the representative is established.
The Cybersecurity Directive goes into effect on August 8, 2016 (20 days following its publication in the Official Journal of the EU).
The Cybersecurity Directive is available here.