On 19 July 2016, the text of the Directive concerning measures for a high common level of security of network and information systems across the Union (Cyber-security Directive) was published in the Official Journal of the EU.

Article 1 of the Directive confirms the core objective as the achievement of a high common level of security of network and information systems (SNIS) within the Union. This objective is intended to be achieved through five obligations put forward by the Directive:

  • Member States laying down and adopting a national strategy on SNIS.
  • Creation of a Cooperation Group to facilitate cooperation and exchange of information between Member States.
  • Creation of a Computer Security Incident Response Teams Network (CSIRT).
  • Establishment of security and notification requirements for operators of essential services and for digital service providers.
  • Member States to nominate national competent authorities with tasks relating to security of network and information systems.

The Directive is without prejudice to Member State actions to safeguard national security and imposes a regime of identifying operators (both private and public bodies) of essential services by 2018 (Article 5). The sectors to which this applies include, among others, energy, transport, banking, financial market infrastructures and digital infrastructure.

The Directive will come into force on 8 August 2016.