ARTICLE
23 May 2016

The Council Of The European Union Adopted The EU Network And Information Security (NIS) Directive (The ‘Directive') 17 May, Ready For Final Adoption By The European Parliament.

RS
Reed Smith (Worldwide)

Contributor

Reed Smith (Worldwide) logo
Reed Smith is a dynamic international law firm helping clients move their businesses forward. By delivering smart, creative legal services, we enrich clients' experiences with us and support achievement of their business goals. Our longstanding relationships and collaborative structure enable the speedy resolution of complex disputes, transactions, and regulatory matters.
Explore Firm Details
The Council of the European Union adopted the EU Network and Information Security (NIS) Directive (the 'Directive') 17 May, ready for final adoption by the European Parliament.
European Union Privacy
Photo of Cynthia O'Donoghue
Photo of Kate Brimsted
Photo of Chantelle Taylor
Authors

The Council of the European Union adopted the EU Network and Information Security (NIS) Directive (the 'Directive') 17 May, ready for final adoption by the European Parliament. The Directive, initially proposed in 2013, has been progressing through the EU legislative procedure for some time. As we reported in December last year, the Directive covers the handling of attacks on digital systems and requires certain organisations that suffer serious cyber attacks to notify authorities in the member state in which they are based.

The Directive is expected to enter into force in August, granting member states a 21-month period to adopt the provisions therein. It is suspected therefore that the Directive is likely to take effect from May 2018.

The NIS Directive was drafted to satisfy the following aims and objectives:

  • To improve cooperation between member states on the issue of cybersecurity
  • To improve cybersecurity capabilities in member states
  • To ensure that operators of essential services in critical sectors (e.g., banking, health care, energy and transport), and key digital service providers (e.g., online marketplaces, search engines and cloud services), take appropriate security measures and report cyber security incidents to the national authorities
  • To require each EU country to designate one or more national authorities
  • To establish an EU-wide strategy for dealing with cyber threats

The Directive will apply to companies within 'critical sectors' and will require them to notify national authorities of any cyber attack that has "a significant impact on the continuity of the essential services they provide." Likewise, digital service providers would have to notify where they experience "a substantial impact on the provision of a service" offered in the EU. The Directive requires transparency from organisations on digital security issues, and corresponds with the concept of accountability that runs through the recently adopted General Data Protection Regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Cynthia O'Donoghue
Cynthia O'Donoghue
Photo of Kate Brimsted
Kate Brimsted
Photo of Chantelle Taylor
Chantelle Taylor
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More