Agreement on Directive to strengthen cybersecurity

The European Commission (EC), the European Parliament (EP) and the European Council have agreed on the draft NIS Directive (Network and information Security Directive), the first legislation at European Union (EU) level focusing on cybersecurity. The priority of the Directive is to protect information systems that might compromise the provision of essential services to Europeans, including in areas such as health and public transport.

Security incidents can have a range of different origins, including technical failure, inadvertent error, natural disaster or malicious attack and can cause interruptions in the supply of essential services such as power, water and health care, or transportation services. As far as the EC is concerned, it essential to help prevent such incidents and, if they do occur, to provide a more efficient response.

The objectives of the proposed NIS Directive are as follows:

  • improve cybersecurity capabilities in Member States;
  • improve Member States' cooperation on cybersecurity;
  • require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities.

The next step following this political agreement will be the directive's formal adoption by the Council and by the European Parliament and its publication in the EU Official Journal. After its entry into force, Member States will have 21 months to transpose the directive into national legislation and a further 6 months to identify operators of essential services. Member States will also be required to:

  • adopt a national NIS strategy defining the strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity;
  • designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams, responsible for handling incidents and risks.

The EC will launch a public-Private partnership on cybersecurity in 2016, as announced in the Digital Single Market strategy in May.

Further information: