Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

What sectors are you interested in?

We can use your selection to show you more of the content that you’re interested in.

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Network and Information Security Directive set to come into force in August

17 May 2016, 5:18 pm

New measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure are set to be written into EU law.

The Council of Ministers has announced that the proposed Network and Information Security (NIS) Directive has won formal approval from the national governments that make up the EU. It said the Directive is likely to come into force in August once the European Parliament has voted to endorse the text.

The Directive will apply to operators of essential services and digital service providers. Each EU country will determine which organisations in their jurisdiction are operators of essential services and subject to the rules in line with criteria set out in the Directive.

Digital service providers, which are defined as being online marketplaces, online search engines or cloud computing service providers, will be directly subject to the Directive.

Slightly different rules apply to operators of essential services than apply to digital service providers.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, assessed which businesses can expect to be subject to the new NIS Directive earlier this year. Scanlon's analysis followed the announcement of political agreement being reached on the draft NIS Directive by MEPs and representatives of EU  governments in December last year.

According to the latest draft of the Directive (77-page / 550KB PDF), operators of essential services will be required to "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations". Those operators will also need to "take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services".

A new incident notification regime will also apply under the Directive and require operators of essential services to report "incidents having a significant impact on the continuity of the essential services they provide" without undue delay. Notification will have to be made to designated "competent authorities" or Computer Security Incident Response Teams that each EU country will have to set up.

In determining the significance of security incidents operators of essential services will need to consider how many users are affected by disruptions to essential services, how long such an incident lasts and the "geographic spread" of the impact from such an incident.

Digital service providers will also have obligations to ensure the security of their network and information systems and minimise the impact of incidents affecting that security.

Different incident notification obligations will apply to digital service providers than will apply to operators of essential services. Digital service providers will be required to notify incidents that have a substantial impact on the provision of a service they offer in the EU without undue delay.

To determine whether the impact of an incident is substantial or not, digital service providers will need to assess a range of criteria. Relevant factors include the number of users affected by the incident, in particular users relying on the service for the provision of their own services; the duration of the incident; the geographical spread with regard to the area affected by the incident; the extent of the disruption of the functioning of the service, and the extent of the impact on economic and societal activities.

However, the duty to notify incidents will only apply to digital service providers if they have "access to the information needed to assess the impact of an incident against the parameters referred to".

If digital service providers offer services in the EU but have no establishment inside the trading bloc they will be required to appoint a designated representative in the EU so as to fulfil its obligations under the Directive.

Under the proposed Directive EU countries will also be required to outline "a national strategy on the security of network and information systems". New frameworks for cross-border information sharing on security issues will also be established.

EU countries will have 21 months from the date the Directive comes into force to implement the new EU legislation into national laws, according to the Council of Ministers' draft. They will have a further six months to "identify the operators of essential services with an establishment on their territory" that would be subject to the new rules.

Businesses can expect to be included on the list countries draw up if they provide a service which is essential for the maintenance of critical societal and/or economic activities, if the provision of that service depends on network and information systems and if an incident would have significant disruptive effects on the provision of that service, according to the Directive.

Contact an adviser

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

+44 (0) 20 7490 6597
View Profile

Latest News

Ground rents cap represents compromise, says expert

Anti-suit injunction issued by English court to halt Russian proceedings

Notice provisions in construction contracts

Hong Kong construction dawn raids should prompt tender process reviews

Business has role to play in helping Ukraine rebuild ethically

You might also like

Out-Law Guide

Concurrent delay in UK construction projects

The Covid-19 pandemic and other recent events have led to an increased focus on delays in construction projects with more than one cause.

Construction Advisory & Disputes

Out-Law Guide

The substantial shareholding exemption

The substantial shareholding exemption (SSE) applies to companies and exempts certain gains that would otherwise be subject to UK corporation tax following a disposal of shares.

Corporate tax

Out-Law Guide

Extensions of time and liquidated damages

Most contracts for construction works will include an extension of time mechanism, whereby the contractor will be entitled to an extension of time to the agreed completion date – the date by which the works must be completed – in circumstances where there are delays to a project which are not the contractor’s fault or for which the employer has taken the risk.

Construction Contracts

Out-Law News

UK government plans to revamp holiday pay calculation for part-year workers

Show me more

Out-Law Analysis

Pensions disputes: managing member expectations paramount

Show me more

Out-Law Analysis

UK subsidy control post-Brexit: access to effective judicial remedies

Show me more

Out-Law News

'Steps of court' settlement was not negligent, court rules

Show me more

Out-Law News

'Vast majority' of companies not seeking to avoid tax

Show me more

Out-Law News

'World first' industrial decarbonisation strategy developed in the UK

Show me more

Out-Law Analysis

3D printing: UK product safety issues

Show me more

Out-Law News

5G potential for business highlighted in UK funding programme

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.