A new Directive on cyber security was published in the Official Journal of the European Union. The Directive aims to achieve a common level of security of network and information systems within the EU. It requires all Member States to adopt a national strategy on the security of network and information systems and establishes security and notification requirements for operators of essential services and for digital service providers. The Cyber Security Directive applies to certain credit institutions, any operator of a trading venue and central counterparties. 

The Directive requires in-scope entities to take appropriate and proportionate technical and organizational measures to manage risks posed to the security of their network and information systems; and (ii) prevent and minimize the impact of incidents affecting the provision of services to ensure continuity of those services. Such entities will also be subject to certain notification requirements regarding any incidents.

The Cyber Security Directive entered into force on August 8, 2016. Member States are required transpose the Directive into their national laws by May 9, 2018. Member States are required to identify operators of essential services by November 9, 2018.

View the Directive.