Agreement reached on new EU cyber-security rules
Published 2 January 2016
What does this cover?
The European Parliament (Parliament) has agreed the terms of the Network and Information Security Directive (the Directive) with the Luxembourg Presidency of the EU Council of Ministers.
Andreas Schwab, Parliament's rapporteur, commented that "Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfil security measures and notify significant cyber incidents. Member states will have to cooperate more on cyber security – which is even more important in light of the current security situation in Europe ... Moreover this directive marks the beginning of platform regulation. Whilst the Commission's consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services."
The agreed text of the Directive is yet to be published, however, the draft proposals of 7 February 2013 outlined provisions for each member state to adopt a national strategy in order to "achieve and maintain a common high level of security of network and information systems." The draft Directive further proposed that, "To ensure transparency and properly inform EU citizens and market operators, the competent authorities should set up a common website to publish non-confidential information on the incidents and risks." Therefore it is likely that any the new Directive would have these elements among its key focus points.
The agreed text of the Directive now requires official approval by the Council Committee of Permanent Representatives and Parliament's Internal Market Committee.
To view the 7 February 2013 proposed Directive text, please click here.
To view the European Parliament press release, please click here.
What action could be taken to manage risks that may arise from this development?
Organisations which fall within the definition of an operator of critical infrastructure should continue to monitor developments as the Directive is implemented by the UK legislature.