Out-Law / Your Daily Need-To-Know

EU law makers reach deal on new network and information security rules

Out-Law News | 08 Dec 2015 | 1:10 pm | 2 min. read

Banks, energy companies, health care providers and digital service providers are among the organisations that will be subject to new cyber security laws agreed by law makers in the EU on Monday.

Representatives from the European Parliament and Council of Ministers reached a political consensus on the wording of a new Network and Information Security (NIS) Directive after nearly two years of negotiations.

The draft Directive, still to be formally approved by MEPs and the Council, will require businesses subject to it to put in place appropriate security measures to protect their networks and data against cyber security incidents and to report serious breaches to regulators.

A copy of the text of the Directive which has been agreed on is not yet available, but statements issued by the Parliament, Council and European Commission indicate that a two-tiered framework will exist under the new rules.

The Directive will apply to operators of essential services. EU countries will be responsible for selecting the organisations they deem to be operating essential services and which should be subject to the new regime in accordance with criteria set out in the Directive.

The rules are expected to apply to major banks, companies engaged in financial trading and operators of electricity and oil and gas networks are expected to be among the organisations, as well as organisations that oversee air, road and rail transport systems, health providers, companies overseeing water supply and operators of digital infrastructure such as domain name system service providers.

Digital service providers, including cloud computing providers, search engines and online marketplaces, will also fall subject to the new framework, although they will face a lighter regulatory regime than operators of essential services. Small digital service providers will be exempt from the Directive, according to the statements issued by the EU institutions.

A new information sharing initiative is also envisaged under the Directive to ensure that countries pass on details of cyber threats and incidents to ensure a better coordinated response to such risks across the EU.

Once finalised and published in the Official Journal of the EU, EU countries will have 21 months in which to transpose the NIS Directive into national laws and then a further six months to identify the operators of essential services that will be subject to the rules in their jurisdiction.

"Trust and security are the very foundations of a digital single market," EU commissioner for the digital single market Andrus Ansip said. "If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure. The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cyber security solutions."

It had looked like the NIS Directive would be finalised late last year, but disagreement over the scope of the Directive held up that process. Some EU countries wanted 'digital service platforms' to be subject to the NIS Directive, but the UK government and others were resistant to those plans, Rachael Bishop, policy officer at the Department for Business, Innovation and Skills (BIS) on cyber security EU and international policy, told Out-Law.com earlier this year.