Network and Information Security (NIS) Directive

The Network and Information Security (NIS) Directive aims to achieve a high common level of security of networks and information systems within the European Union. The final text was published on July 6, 2016. 

The NIS Directive establishes security and notification requirements for Operators of Essential Services (OoES) and Digital Service Providers (DSP). Sectors that are affected are energy, transport, financial market infrastructure, health, drinking water and digital infrastructure but also include online marketplaces, online search engines and cloud services that provide services in the EU.

The NIS Directive lays down specific requirements for Member States of the EU to adopt a national NIS strategy, to designate National Competent Authorities (NCA), Single Points of Contact (SPoC) and Computer Security Incident Response Teams (CSIRT) . Next to member state requirements the NIS also organizes a EU cooperation group and a network of CSIRT's.

Implementation / enforcement 12/2012 - 02/2013
Discussion / consultation 02/2013 - 08/2016
Implementation / enforcement 08/2016 - 05/2018
In effect 05/2018 -

The NIS Directive was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. Member States have to transpose the Directive into their national laws by 9 May 2018 and identify operators of essential services by 9 November 2018.

There are many challenges with the implementations of the NIS directive. Organizations are faced with additional cyber security legislation on a national level. Also EU member states are faced with requirements for unbiased identification of Operators of Essential Services and Digital Service providers. Governing bodies will need to adequately respond to incidents that organizations are required to report. And last but not least compliance monitoring and enforcement with fines need to be organized.

Chantal Rademaker de Ridder Partner
Categories: Privacy & Security