In a bid to respond effectively to cyber threats, the EU institutions and individual Member States have adopted EU-level and national cybersecurity strategies and regulation. The Network and Information Security Directive, which was proposed by the Commission in 2013, has been negotiated between the European Parliament and the Council in response to increasing concerns about cyber attacks resulting in security and privacy breaches. It will impact on a wide range of organisations including businesses in sectors such as energy, transport, banking, financial market and health. In addition, some internet services providers, such as online marketplaces, search engines and clouds will also have to ensure the safety of their infrastructure.

The provisionally-agreed text still needs to be formally approved by Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives before a date can be set for implementation of the Directive.

The Directive aims to ensure a high common level of cybersecurity in the EU, by:

Improving Member States’ national cybersecurity capabilities through setting out concrete policy and regulatory measures to maintain a level of network and information security.

  • Improving cooperation between Member States, and between public and private sector bodies against risks and incidents affecting network and information systems.
  • Requiring companies in critical sectors – such as energy, transport, banking and health – as well as key Internet services to adopt risk management practices and report major incidents to the national authorities.
  • The European Commission’s Vice President for the Digital Single Market, Andrus Ansip, said the new law would build up consumers’ trust in Internet services, especially cross-border services.

With a decision reached, the Network and Information Security Directive will have a major impact on many public bodies and businesses. Under the new measure, for the first time in the EU there will be an information security framework with national regulatory authorities and European-wide information security standards.

Businesses in impacted sectors should urgently review their information security resources, policies and procedures to prepare for the new law.