EU Reaches Agreement on Cybersecurity Rules
The NIS Directive has been controversial in relation to its scope of application because many Member States were sensitive to the protection of their sovereignty in security issues and concerned about the economic impact of this type of regulation.
In this context, the scope of application of the recent agreement is more limited than the original, and it sets the first EU-wide cybersecurity obligations for those business defined as certain key digital service providers and operators of essential services according to the NIS Directive. Operators of essential services are those serving an important role for society and the economy, including the transport, banking, financial market infrastructure, energy, health, and water supply sectors.
The scope of application of the NIS Directive covers the "operators of essential services," and it obligates Member States to identify operators of these services within their jurisdictions and to consider: (i) if the service they provide is critical for the economy and society, (ii) whether it depends on network and information systems, and (iii) whether a cybersecurity incident could have significant disruptive effects on public safety. The scope of application also includes the providers of key digital services, such as cloud computing companies, search engines, and online marketplaces. Social networks and small digital companies (less than 50 employees) are excluded from the scope, however. The NIS Directive obliges both types of operators to take appropriate security measures and to notify the relevant national authority concerning serious incidents.
Additionally, the NIS Directive will lead to the improvement of national cybersecurity capabilities, since Member States will be required to implement a national strategy in relation to the Directive. This strategy will address the strategic goals and the relevant policies and measures regarding cybersecurity issues and will designate a national competent authority for the implementation and enforcement of the NIS Directive, as well as Computer Security Incident Response Teams responsible for handling incidents and risks. However, the national strategy of each Member State will be conducted under the strategic cooperation between Member States, referred to as a "Cooperation Group." This group's function is to support the NIS Directive's functions and facilitate strategic cooperation and the exchange of information among Member States, thereby developing trust among them.
The aim of the NIS Directive is to establish a unified framework for cybersecurity and to ensure that Member States will not adopt different approaches to risk management and incident reporting for affected service providers.
However, this agreement still needs to pass more requirements before it goes into effect. It has to be approved by the EU Parliament's Internal Market Committee and the EU Council's Committee of Permanent Representatives and published in the EU Official Journal, at which point the NIS Directive will be in force. Once the NIS Directive is in force, the EU Member States will likely have a 21-month period to implement the regulation into their legislation and six months to identify their operators of essential services.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Mauricio F. Paez
Undine von Diemar
Laurent De Muyter
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.