On May 17, 2016, the European Council adopted its position at first reading of the Network and Information Security Directive (the “NIS Directive”). The NIS Directive was proposed by the European Commission on February 7, 2013, as part of its cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

The NIS Directive will impose security obligations on “operators of essential services” in critical sectors and “digital service providers.” These operators will be required to take measures to manage cyber risks and report major security incidents.

Operators of essential services will include entities within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors. The security obligations imposed on these operators will be stronger than those for digital service providers (i.e., providers offering online marketplaces, online search engines and cloud computing services in the EU).

Further, each EU Member State will be required to (1) designate one or more national authorities on the security of network and information systems and (2) establish a strategy for dealing with cyber threats.

Next steps

The NIS Directive must be approved by the European Parliament in plenary session. The NIS Directive is expected to enter into force in August 2016. Thereafter, EU Member States will have 21 months to adopt the necessary national provisions. Following this period, EU Member States will have six months to identify operators of essential services. In order to do so, EU Member States should assess whether services are essential for the maintenance of critical social and economic activities.