In 2013 an EU-wide cybersecurity strategy was proposed by the EU Commission. Just last week the EU Parliament, the Council of Europe and the EU Commission reached agreement on the proposed wording of the National and Information Security (NIS) Directive.
The NIS Directive will aim to establish minimum standards of cybersecurity and reporting requirements for serious breaches of cybersecurity to appropriate authorities in Member States for public bodies and essential service providers such as banks and businesses engaged in the provision of energy and water.
Under the NIS Directive Member States will be required to co-operate on cybersecurity, exchange information in relation to breaches of cybersecurity and offer assistance in relation to best practices to prevent breaches of cybersecurity and assist Member States in securing their infrastructure.
This is the first time Europe has created EU-wide security rules on cybersecurity and it reflects the real importance of cybersecurity and the risk of cybcercrime.
Once the NIS Directive comes into force Member States will have 21 months to implement the directive into their national laws.
While the full details have yet to be disclosed, once ratified, the new rules will be phased in over two years. Ratification of the legislation is expected be the second quarter of next year (2016). The framework calls for stiff penalties to be imposed for non-compliance, with fines potentially reaching as high as 2% of a company’s global turnover, or up to €75 million for the most aggravated cases of complacency.