On July 6, 2016, the European Union adopted Directive (EU) 2016/1148, “concerning measures for a high common level of security of network and information systems across the Union,” otherwise known as the Network and Information Security Directive. (A directive, in EU parlance, is an instruction to member states to achieve a particular objective and a general framework for how to do so. This differs from a regulation, which is immediately binding on all member states.) Pursuant to this Directive, each member state will have to pass its own national legislation — a concept referred to in EU law as “transposition” — implementing the Directive, and that legislation will necessarily differ from country to country.
The Directive, however, lays out the essential features we can expect to see Europe-wide. The Directive requires EU Member States to adopt national strategies for the security of network and information systems. It also creates a Cooperation Group to facilitate strategic information sharing regarding digital threats, and a network of computer security incident response teams, to help with coordination of responses to cyber-threats. For companies, the Directive creates obligations for “Operators of Essential Services” and for “Digital Service Providers.” Both sets of entities will be required to implement “appropriate and proportionate technical and organizational measures to manage the risks posed” to their systems, taking account of “the state of the art.” They will also be responsible to notify national authorities of cybersecurity incidents that have a “significant impact” on the services they provide.
“Operators of Essential Services” are public or private entities in the sectors of:
(1) energy
(2) transportation
(3) banking
(4) finance
(5) healthcare
(6) drinking water, and
(7) digital infrastructure.
The Directive requires Member States to identify all operators of essential services within their territory by November 9, 2018.
“Digital Service Providers” include:
(1) online marketplaces
(2) search engines, and
(3) cloud computing services.
Importantly, non-Europe based providers of essential or digital services may be subject to this Directive so long as they offer their services within the EU. Exactly how the Directive will apply to particular firms will depend upon national-level legislation, as the Directive is transposed. As the details are worked out in member states over the next three years, companies that do significant business in Europe will want to keep an eye on national law-making, and to take stock of their cybersecurity strategies.