European Parliament members adopt 1st EU-wide cyber security law


07 Jul 2016

This week, the European Parliament (EP) has released a statement announcing its backing for new rules which are designed to improve cyber security across all Member States. MEPs have given their approval to the EU Network and Information Security (NIS) Directive which is aimed at setting standardised cyber security regulations and requirements, as well as increasing cooperation between EU countries, with the result of allowing firms to increase their protection against cyber threats.

Cyber security threats and incidents are a global issue and nearly all have a cross border element which often means these issues concern at least two EU Member states. Fragmentary protection leads to increased vulnerability and results in security risks for both individuals and businesses across Europe and up to 80% of EU business say they have experienced a cybersecurity incident in the last 12 months. It is estimated that these attacks can cost up to €340 billion a year and with the steady growth of the digital economy, this figure is only set to rise.

The main objectives of the directive are:

  1. Improved cybersecurity capabilities at a national level. This will be done by increasing awareness and training, new cooperation methods between public and private sectors, risk assessment plans, as well as new strategic objectives and governance frameworks.
  2. Increase EU cooperation. A Cooperation Group will be created in order to support and facilitate strategic cooperation and information sharing among Member States. The type of information that will be shared will include risks, incidents, training, awareness training and R&D. Each Member State will also be required to report to the EC on the experience gained by cooperation, at an interval of every 18 months.
  3. Risk management and incident reporting obligations for operators of essential services and digital service providers. The definition of “essential services” will include energy, transport, banking, financial service infrastructures, health, water and digital infrastructure such as internet exchange points, domain name providers and top level domain name registries. Companies operating under these sectors will be obliged to increase their security measures, including:
  • Preventing risks by developing organisational and technical measures that are both proportionate and appropriate to the particular risk.
  • Guarantee the security of all information and network systems. These measures are to include risk-appropriate levels of security.
  • Appropriate handling of incidents that should minimise their impact on the IT systems used to provide the services.

DSPs such as online market places, cloud computing services and search engines will be required to take additional measures which will include:

  • Increased security of facilities and systems
  • Increased efficiency of incident handling
  • Business continuity management
  • Increased monitoring, auditing and testing
  • Compliance with international standards.

The new Directive enters into force in August 2016 and must be fully transposed into national law by May 2018. To find out what steps your business needs to take in order to comply with NIS, please contact