On 6th July 2016, EU Directive 2016/1148 was approved by the European Parliament in plenary session in Strasbourg. The Directive, known as the Network and Information Security Directive, presents the first ever set of common EU rules in the field of cybersecurity.
The most important aspect of the Directive, arguably, is the introduction of new notification obligations. Both operators of essential services and digital service providers, under the Directive, will be obliged to report serious security incidents to national authorities. Digital service providers include online marketplaces, search engines and cloud services, whereas the operators of essential services could be companies in the energy, transport, health and/or finance sectors.
Before any notifications can be made though, Member States will have to take action and designate one or more national authorities to deal with cyber threats. Once a notification is made, the competent authority may require that the public be informed about the security breach, but public notifications have not been made mandatory under the new Directive. Moreover, common reporting systems will be introduced to avoid fragmentation between Member State practices and facilitate an ease of reporting.
Last but not least, the Directive aims to increase cooperation on cybersecurity between Member States. To this end, a dedicated cooperation group will be set up in order to support and facilitate strategic cooperation and the exchange of information among Member States.
The Directive was published in the Official Journal of the European Union on 19th July and will enter into force twenty days after, in August 2016. Member States will have until 9th May 2018 to transpose the Directive into their national legislation and a further six months (until 9th November 2018) to identify the operators of essential services that have an establishment on their territory.
More information about the new Directive is available here.
The full text of Directive 2016/1148 is available here.
A PSCE document on the Directive is available here.