ARTICLE
20 July 2016

European Parliament Adopts EU Cybersecurity Directive: Beware Of Early Implementation

DB
De Brauw Blackstone Westbroek N.V.

Contributor

De Brauw Blackstone Westbroek is a leading international law firm, trusted by clients for over 150 years due to its deep engagement with their businesses and a clear understanding of their ambitions. While rooted in Dutch society, the firm offers global coverage through its network of top-tier law firms, ensuring seamless, tailored legal solutions. De Brauw’s independence enables it to choose the best partners while remaining a trusted, strategic advisor to clients worldwide.

The firm emphasizes long-term investment in both its client relationships and its people. De Brauw’s legal training institutes, De Brauwerij and The Brewery, cultivate diverse talent, preparing the next generation of top-tier lawyers through rigorous training and personal development. Senior leadership traditionally rises from within, maintaining the firm’s high standards and collaborative culture.

The European Parliament approved the final text of the EU Network and Information Security Directive on 6 July 2016. This marks the final stage of a three-year legislative process on the first EU-wide rules on cybersecurity.
European Union Privacy

The European Parliament approved the final text of the EU Network and Information Security Directive (NIS Directive) on 6 July 2016. This marks the final stage of a three-year legislative process on the first EU-wide rules on cybersecurity. The NIS Directive introduces new information security and notification obligations for operators of essential services and key digital service providers. Although member states have approximately two years to transpose the NIS Directive into national law, the Netherlands plans to introduce some obligations as early as the end of 2016 – beginning 2017 under the recently proposed Cybersecurity Breach Notification Bill. Businesses operating in key sectors of the economy should review and update their cybersecurity policies and processes and prepare for the new obligation to report serious cybersecurity incidents to supervisory authorities.

As we reported last month, the NIS Directive is expected to enter into force in August 2016. Member states will then have 21 months to transpose the NIS Directive into their national laws. The NIS Directive applies to two categories of market players: operators of essential services and key digital content providers. The member states will have six additional months to identify the relevant operators in the sectors defined in Annex II of the NIS Directive. These include the energy, banking, financial market infrastructure, drinking water supply, transportation, healthcare and digital infrastructure sectors. Relevant operators and providers will be required to: take appropriate technical and organisational measures to prevent risks of network and information incidents; ensure the security of network and information systems; and notify serious cyber incidents or loss of integrity of vital electronic information systems to competent supervisory authorities.

This mandatory notification of serious cybersecurity incidents to supervisory authorities will most likely be imposed by the Dutch Cybersecurity Breach Notification Bill as early as the end of 2016 – early 2017. As under the NIS Directive, further regulation will identify specific businesses that meet the "vital provider" definition under the Bill. The Dutch government recently issued a memorandum regarding the Bill that includes an updated list of providers, products and services that will be used by the Dutch government for identifying vital providers. This list is shorter than the earlier version proposed in May 2015 and currently does not include ICT or telecom service providers, payment services or large-scale processing of chemicals. However, the government indicated that not all relevant sectors are currently on the list but will be added at the later stage.

We recommend that businesses operating in the relevant industries closely monitor the national implementation measures by the member states, as other countries may take the Dutch approach in early implementation. We also suggest timely adopting appropriate cybersecurity policies and implementing risk-based incident response procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More