Network and Information Security Directive closer to reality after MEPs' vote

The Internal Market Committee voted to support the Directive on Wednesday in the latest stage in the passage of the legislation at EU level. Representatives from the European Parliament and Council of Ministers reached a political consensus on the wording of the NIS Directive last month nearly two years after the first draft was proposed by the European Commission.

Both the Parliament and Council must formally adopt the Directive before it can become law. The Internal Market Committee's approval of the text means that "the draft NIS Directive will now be checked by lawyer-linguists before being endorsed by both Council and the full Parliament", according to a statement issued by the Parliament.

The NIS Directive, once finalised, will require businesses subject to it to put in place appropriate security measures to protect their networks and data against cyber security incidents and to report serious cyber incidents they experience to regulators.

Operators of essential services and digital service providers (DSPs) will be subject to the new Directive, although different security requirements and incident reporting rules will apply to operators of essential services than to DSPs, with a lighter touch framework applicable to DSPs.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, recently looked in detail at which organisations will be subject to the new NIS rules.

German MEP Andreas Schwab said: "A lot of services that citizens use, such as energy, transport and banking, are becoming more and more digitalised. And in all these areas they are heavily reliant on structures that they don't see every day, but which ensure that the services work. If we make these structures safer and more resilient, this will directly benefit European citizens."

In his statement Schwab explained more about how the cyber security incident reporting rules would affect DSPs.

"We only demand that they notify structured attacks to national authorities," he said. "And we don't talk here about every single incident, but only about a serious level of incidents that has to be reported. So the workload is quite small."