What to Expect from the EU’s New Network and Information Security Directive

On July 6, 2016, the European Union adopted Directive (EU) 2016/1148, “concerning measures for a high common level of security of network and information systems across the Union,” otherwise known as the Network and Information Security Directive. (A directive, in EU parlance, is an instruction to member states to achieve a particular objective and a general framework for how to do so.  This differs from a regulation, which is immediately binding on all member states.)  Pursuant to this Directive, each member state will have to pass its own national legislation — a concept referred to in EU law as “transposition” — implementing the Directive, and that legislation will necessarily differ from country to country. 

The Directive, however, lays out the essential features we can expect to see Europe-wide.  The Directive requires EU Member States to adopt national strategies for the security of network and information systems. It also creates a Cooperation Group to facilitate strategic information sharing regarding digital threats, and a network of computer security incident response teams, to help with coordination of responses to cyber-threats.   For companies, the Directive creates obligations for “Operators of Essential Services” and for “Digital Service Providers.”   Both sets of entities will be required to implement “appropriate and proportionate technical and organizational measures to manage the risks posed” to their systems, taking account of “the state of the art.”  They will also be responsible to notify national authorities of cybersecurity incidents that have a “significant impact” on the services they provide.

“Operators of Essential Services” are public or private entities in the sectors of:

     (1) energy

     (2) transportation

     (3) banking

     (4) finance

     (5) healthcare

     (6) drinking water, and

     (7) digital infrastructure. 

The Directive requires Member States to identify all operators of essential services within their territory by November 9, 2018. 

“Digital Service Providers” include:

     (1) online marketplaces

     (2) search engines, and

     (3) cloud computing services. 

Importantly, non-Europe based providers of essential or digital services may be subject to this Directive so long as they offer their services within the EU. Exactly how the Directive will apply to particular firms will depend upon national-level legislation, as the Directive is transposed.  As the details are worked out in member states over the next three years, companies that do significant business in Europe will want to keep an eye on national law-making, and to take stock of their cybersecurity strategies.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Privacy & Data Security | Attorney Advertising

Written by:


Foley Hoag LLP - Privacy & Data Security on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.