Progress made on the first EU-Wide Cybersecurity Legislation

By Simon Shooter


Information systems (computing networks and databases) that enable essential services (such as energy, transport, banking and healthcare), businesses and the internet to function are increasingly being faced with malicious cyberattacks, which could potentially lead to security incidents and disruption of essential services. The border-less nature of the internet means that an incident within one Member State can rapidly have a knock-on effect throughout Europe. Hence, an EU-wide cybersecurity solution was proposed by the Commission in 2013, as part of the EU Cybersecurity Strategy.

Last week, negotiators of the European Parliament, the Council and the Commission reached a consensus on the wording of the Network and Information Security (NIS) Directive. The Directive will set a common baseline level of mandatory cybersecurity measures and reporting of serious breaches to the national authorities, for essential service providers  (i.e. businesses with an important role for society and economy) and providers of key digital services (such as search engines and cloud computing providers). This will improve the resilience of the network and information systems throughout Europe by increasing national cybersecurity capabilities (through adoption of a national NIS strategy), and co-operation on cybersecurity between Member States. A network of Computer Security Incident Response Teams (the CSIRTs Network) will also be established, to promote swift and effective operational co-operation for cybersecurity incidents, and the sharing of information about risks.

Once the NIS Directive comes into force, Member States will have 21 months to implement the Directive into their national laws, and a further six months to identify operators of essential services.

"All operators that are likely to fall within the Directive should already be taking cybersecurity seriously and the Directive shouldn’t be requiring a major upheaval for them. The Directive is the EU's fist hitting the table and saying that it is now serious and companies need to stop merely paying lip service to cybersecurity," commented Simon Shooter, Partner, Bird & Bird LLP.

To assist businesses in establishing prudent and proportionate measures to address Cyber risk and to prepare to respond effectively when a cyberattack hits, while at the same time getting in shape to meet the NIS Directive requirements, the Bird & Bird Cyber team have developed a multidisciplinary task force called CyberBox. CyberBox brings together market leaders in cyber focused insurance, IT forensics and penetration testing, public relations and communications and threat intelligence and cyber relevant law to help clients every step of the way.

If you would like to know more about CyberBox please contact Simon Shooter.