First EU-Wide Cybersecurity Law Approved By EU Parliament

On 8 December 2015, the European Commission issued a press release stating that the European Parliament and the EU Council of Ministers reached agreement on a new body of legislation which, when adopted, has the objective of making our online environment more secure. 

The Directive on Network and Information Security would be the first EU-wide legislation on cybersecurity. The proposal for the Directive was issued in 2013 as part of the 2013 EU Cybersecurity Strategy. The aim of the Directive is to provide a standard set of rules that will allow EU Member States to better deal with cyber-attacks. According to the European Commission, past initiatives to adopt security measures were too fragmented, voluntary in nature and left too many gaps in overall cybersecurity. 

Companies are confronted more and more with cyber attacks on their information systems, caused by various origins such as technical failures, unintentional mistakes, malicious attacks and natural disasters. The Directive will provide help to prevent such incidents and provide the most efficient response to them when they do occur. 

The Directive will apply to companies which qualify as ‘operators of essential services’, being businesses with an important role for society and economy. Examples given by the Directive are business operating in the energy, transport, banking, health, water, financial market and digital infrastructure sectors. Online marketplaces, businesses offering cloud computing services and search engines. These companies will have to take appropriate security measures to resist cyber attacks. The companies will also have to notify serious incidents to the relevant national authority. Examples of serious incidents include the unavailability of online booking systems and the unavailability of a cloud service provider not being able to grant users access to their content.   

The provisions of the Directive provide minimum obligations that Member States must ensure are in place in their national legislation. Member States will have to implement these baseline provisions into their national laws, but are allowed to implement more stringent legislation. 

The Directive does not only intend to improve cybersecurity by providing a standard set of rules. The Directive also seeks to improve cooperation between Member States by encouraging them to exchange information and best practices on cybersecurity. For that purpose, a network of Computer Security Incident Response Teams will be set up, which will promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks. 

The next step towards the adoption of the Directive is the formal approval of its text by the EU Parliament and the EU Council of Ministers. After that, the Directive will enter into force and Member States will have a period of 21 months to implement the legislation into their national laws. 

The proposed text of the Directive is available here.