Agreement has been reached on the first EU-wide cybersecurity legislation

In 2013, the European Commission put forward a proposal for a Network and Information Security Directive (the “NIS Directive”) as part of the EU’s Cyber Security Strategy. The European Parliament and Council of Ministers recently reached political agreement on the NIS Directive on 7 December 2015, which includes data breach notification obligations.

According to the Commission’s press release published on 8 December 2015, the NIS Directive will improve the cybersecurity capabilities of and cooperation between EU Member States. The Commissioner for the Digital Economy and Society further explained that this improved cooperation will assist the EU in its fight against increasing numbers of cyber attacks, commenting that “cybersecurity is essential in today’s European digital economy and society – and it remains a permanent challenge.

The key elements of the NIS Directive include:

  • a requirement for “operators of essential services” in critical infrastructure sectors (e.g. energy, transportation, healthcare and banking) and digital service providers (e.g. search engine operators, cloud computing services and ecommerce platforms) to implement appropriate technical and organisational measures to manage security risks and to notify the national competent authority of serious incidents.
  • the adoption by Member States of a national strategy to include policies and measures to maintain a level of network and information security;
  • the designation of a national competent authority to implement and enforce the NIS Directive and create Computer Security Incident Response Teams (“CSIRT”) responsible for investigating data security incidents and cybersecurity risks; and
  • the creation of a Cooperation Group to support and facilitate strategic cooperation and information exchange between Member States and a CSIRT Network to “promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks.”

The NIS Directive will now have to be formally approved by the Council and the Parliament. After that, EU Member States will have 21 months to implement the NIS Directive into their national laws.