Privacy & Information Security Law Blog

On July 6, 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”), which will come into force in August 2016. EU Member States will have 21 months to transpose the NIS Directive into their national laws. The NIS Directive is part of the European Commission’s cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

The objective of the NIS Directive is to set a common level of security for networks and information systems throughout the European Union. To achieve this objective, EU Member States must:

• adopt a national strategy on the security of the network and information systems;
• designate a competent authority to monitor the implementation of the NIS Directive; and
• designate one or more Computer Security Incident Response Team(s).

A cooperation group composed of representatives from EU Member States will be appointed and will work on providing guidance and sharing information on network security.

At a company level, there will be a risk management and incident reporting obligation to national authorities for operators of “essential services” and digital service providers. Operators of essential services will be identified by EU Member States based on the following criteria: (1) if the entity provides a service which is essential for the maintenance of critical societal/economic activities; (2) the provision of that service depends on network and information systems; and (3) a security incident would have significant disruptive effects on the provision of the essential service. The targeted digital service providers include online marketplaces, cloud computing services and search engines.

The sectors in scope of the NIS Directive include energy, transportation, banking, financial markets, health, water and digital infrastructure. The incidents requiring notification will be assessed according to the following factors: number of users affected, duration of incident, geographic spread, the extent of the disruption of the service and the impact on economic and societal activities.

Going forward, the European Commission will adopt implementing acts with respect to security requirements and notifications obligations of digital service providers within one year of the adoption of the NIS Directive.