EU Reaches Agreement on Cybersecurity Rules

EU Reaches Agreement on Cybersecurity Rules

On December 7, 2015, the European Parliament and the Luxembourg Presidency of the Council of the EU reached an agreement on common rules to strengthen network and information security across the EU. The new network and information security Directive (the "NIS Directive") was initiated under the 2013 EU Cybersecurity Strategy following several incidents that highlighted the need to prevent these cyber attacks in the most efficient way. The NIS Directive constitutes the first and essential step for the development of an EU harmonized framework for cybersecurity, as the Commission announced in the Digital Single Market Strategy last May.

The NIS Directive has been controversial in relation to its scope of application because many Member States were sensitive to the protection of their sovereignty in security issues and concerned about the economic impact of this type of regulation.

In this context, the scope of application of the recent agreement is more limited than the original, and it sets the first EU-wide cybersecurity obligations for those business defined as certain key digital service providers and operators of essential services according to the NIS Directive. Operators of essential services are those serving an important role for society and the economy, including the transport, banking, financial market infrastructure, energy, health, and water supply sectors.

The scope of application of the NIS Directive covers the "operators of essential services," and it obligates Member States to identify operators of these services within their jurisdictions and to consider: (i) if the service they provide is critical for the economy and society, (ii) whether it depends on network and information systems, and (iii) whether a cybersecurity incident could have significant disruptive effects on public safety. The scope of application also includes the providers of key digital services, such as cloud computing companies, search engines, and online marketplaces. Social networks and small digital companies (less than 50 employees) are excluded from the scope, however. The NIS Directive obliges both types of operators to take appropriate security measures and to notify the relevant national authority concerning serious incidents.

Additionally, the NIS Directive will lead to the improvement of national cybersecurity capabilities, since Member States will be required to implement a national strategy in relation to the Directive. This strategy will address the strategic goals and the relevant policies and measures regarding cybersecurity issues and will designate a national competent authority for the implementation and enforcement of the NIS Directive, as well as Computer Security Incident Response Teams responsible for handling incidents and risks. However, the national strategy of each Member State will be conducted under the strategic cooperation between Member States, referred to as a "Cooperation Group." This group's function is to support the NIS Directive's functions and facilitate strategic cooperation and the exchange of information among Member States, thereby developing trust among them.

The aim of the NIS Directive is to establish a unified framework for cybersecurity and to ensure that Member States will not adopt different approaches to risk management and incident reporting for affected service providers.

However, this agreement still needs to pass more requirements before it goes into effect. It has to be approved by the EU Parliament's Internal Market Committee and the EU Council's Committee of Permanent Representatives and published in the EU Official Journal, at which point the NIS Directive will be in force. Once the NIS Directive is in force, the EU Member States will likely have a 21-month period to implement the regulation into their legislation and six months to identify their operators of essential services.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at  

Mauricio F. Paez
New York

Undine von Diemar

Paloma Bru

Jonathan Little

Olivier Haas

Laurent De Muyter

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.