Cyber Security Practitioner
Back to Contents

Volume: 4 Issue: 9
(September 2018)

new eu cyber security legislation moves towards adoption may 2018 deadline expired eu member states transpose network information security

EU Europe Austria US France Spain China

Share This Page

New EU cyber security legislation moves towards adoption

In May 2018, the deadline expired for EU Member States to transpose the Network and Information Security Directive (Directive (EU) 2016/1148) (‘NIS Directive’) into national law. This is the first prong of a broader set of initiatives identified by the 2013 EU Cybersecurity Strategy. The NIS Directive identifies operators of essential services (including those in energy, transport, health, banking, financial markets, digital infrastructure and water)1 and digital services providers (cloud providers, search engines and online marketplaces). Various security measures and security incident reporting obligations apply to the covered entities and subject them to substantial administrative fines for infringements. The NIS Directive also requires Member States to establish national cyber security strategies, designate national authorities to oversee the application of the NIS Directive at the national level, and establish computer security incident response teams (‘CSIRTs’) to coordinate the response to national and cross-border incidents. The Directive also establishes a Cybersecurity Cooperation Group, comprising the European Commission, the European Network and Information Security Agency (‘ENISA’) and Member State representatives, for the purpose of exchanging information and facilitating strategic cooperation. In September 2017, the European Commission a proposal for a common regulation on ENISA and on information and communication technology cybersecurity certification (‘the Proposed Regulation’), that is intended to complement and build on the NIS Directive. The Proposed Regulation would rebrand ENISA as the Cybersecurity Agency (‘the Agency’), expand its powers to promote a more harmonised approach to cyber security across the EU and establish a framework for cyber security certification of information and communications technology (‘ICT’) products. The Commission draft of the Proposed Regulation follows various consultations involving comments provided by government, regulators, industry and other stakeholders. On 8 June 2018, Member States’ Ministers adopted a General Approach on the proposed Regulation which provides the negotiating mandate for the current holder of the Council presidency - Austria - to start the inter-institutional negotiations (also known as trilogues) with the European Parliament and the European Commission. Trilogue negotiations are expected to begin in mid-September 2018, and the Austrian presidency plans to reach agreement on the final text by December 2018. Ann LaFrance and Bethany Bradley, of Squire Patton Boggs, examine the main issues and options covered by the Proposed Regulation.

Sign up for a free trial for a week’s access to the entire latest issue of the journal
You must be logged in and have an active full subscription to view full articles.
Log in now
If you are not already a subscriber, take a subscription for full access to our entire online archives.

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to cyber security practitioner
Subscribe to cyber security practitioner
Register for a Free Trial to cyber security practitioner
cyber security practitioner Pricing

Social Media

Follow cyber security practitioner on TwitterView cyber security practitioner LinkedIn Profilecyber security practitioner RSS Feed