Skip to main content

Cybersecurity: EU policymakers agree Network and Information Security Directive

European Union (EU) policymakers have made significant progress toward finalisation of the first EU-wide legislation on cybersecurity. The new rules, along with the EU data protection package, set the scene for a nudge towards an enhanced cyber security harmonised framework across the EU.

Fri 22 Jan 2016

Background

On 7 December 2015, after over a year of negotiations, the European Parliament and the EU Council of Ministers reached informal agreement on the Network and Information Security Directive (“NIS Directive”).

This landmark Directive – the first time the EU has legislated on cybersecurity – aims to establish a harmonised set of requirements for certain businesses (ie essential services operators and digital services providers), to make them cyber-attack proof.

Key points

Interplay between NIS Directive and EU General Data Protection Regulation (“GDPR”)

Although both the NIS Directive and the GDPR laws impose requirements on operators to adopt risk-based security measures as well as mandatory incident notification in case of breaches, they protect different interests and may apply to distinct types of incidents.

Whilst the GDPR aims to safeguard personal data, the Directive’s focus is on network security. The targets are also distinct: where the GDPR will apply to any person or entity involved in the processing of personal data of individuals in the EU, the NIS Directive is addressed to operators of essential services and digital service providers.

Finally, the NIS Directive does specify that, in cases where personal data are compromised as a result of serious incidents, NCAs and data protection authorities must cooperate and exchange all relevant information to address personal data breaches resulting from incidents.

Impact on the Lloyd’s market

Next steps

The political agreement reached in December 2015 needs to be formally adopted by the European Parliament and the EU Council (expected in spring 2016). Once published in the EU Official Journal, Member States will have 21 months to implement the NIS Directive into national law and a further six months to identify operators of essential services.