EU Cyber Security Directive To Enter Into Force In August
Wednesday, May 18, 2016
Cybersecurity, EU Security Directive To Enter Into Force In August

Related Practices & Jurisdictions
Print Mail Download i

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and

  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).

Following the informal political agreement reached last December on the NIS Directive (see our report here), European legislators have been taking the final formal steps in recent months.  In January, a European Parliament committee voted in favour of the Directive.  The Council confirmed the political agreement in late February and, following the lawyer linguist revision (i.e., to clean up the text), adopted its position in first reading on May 17.  The Council will now transmit its position to the European Parliament on May 25.  The European Parliament is expected to vote during its July 4 to July 7 plenary session, which will allow the Directive to enter into force in August.

According to recent information from the Presidency, the European Commission has already been making necessary steps to prepare ground for the implementation of the Directive.  A first informal meeting of the cooperation group — composed of representatives of Member States, the Commission, and the European Union Agency for Network and Information Security (“ENISA”) — is now foreseen to take place on June 14.

Companies that may fall within the scope of the new rules should monitor the implementation process in key Member States as well as guidance from national competent authorities and ENISA.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins