On May 17, 2016, the European Council formally adopted its position at first reading of the Network and Information Security Directive (“NIS Directive”). The objective of the NIS Directive is to increase cooperation between EU Member States on issues of network and information security. Companies subject to the NIS Directive are required to adopt “appropriate and proportionate technical and organisational measures.” Specifically, the NIS Directive sets forth new cybersecurity obligations for providers of essential services (including entities within the energy, transport, banking, health, and drinking water supply and distribution sectors), and digital service providers (providers offering online marketplaces, online search engines, and cloud computing services). For a deeper analysis of the NIS Directive, please see “Even More EU Data Regulation: The Network Information Security Directive” written by Jan Dhont and Jim Harvey and available here.
The proposed NIS Directive would also require each EU Member State to designate one or more national authorities on the security of network and information systems, and establish a strategy for dealing with cyber threats.
Discussions and negotiations regarding the NIS Directive have been occurring for quite some time now as an informal political agreement was reached last December, followed by a European Parliament committee vote in favor of the NIS Directive in January. The European Council confirmed the political agreement in February and adopted its position at first reading on May 17th. The European Council will transmit its position to the European Parliament on May 25th. The European Parliament is expected to vote on the NIS Directive during its July 4th to July 7th session, with the NIS Directive going into force in August 2016. EU member states will have 21 months from the NIS Directive’s entry into force to adopt the necessary national provisions.