On December 7, 2015, representatives of the European Parliament and European Union governments agreed on the first EU-wide cybersecurity law, titled the Network and Information Security Directive (Directive).11 The Directive is the result of a proposal put forward by the European Commission (EC) in 2013 to enhance network and information security.

According to the EC, the agreed-upon Directive would impose security and notification requirements on Digital Service Providers (DSPs), described as including search engines, eCommerce platforms, and cloud computing services. Similar rules also would be imposed on “operators of essential services,” defined as including the transportation, energy, healthcare, and banking sectors. The Directive would require Member States to designate a “national competent authority” for implementing and enforcing the Directive, and would require these service providers to notify such authorities of any serious incidents related to cybersecurity.

The Directive also would require Member States to set forth a national cybersecurity strategy. It would also require each Member State to establish a Computer Security Incident Response Team (CSIRT) responsible for handling incidents and risks. The Directive would set forth measures to increase cybersecurity cooperation among Member States, such as through information exchanges and a network of CSIRTs. Finalization of the Directive will require formal approval of its text by the European Parliament and EC; the text has not yet been publicly released.12 Member States will then have 21 months to implement the Directive and identify operators of essential services.