The Network and Information Security Directive – who is in and who is out?


New cyber security laws agreed on by EU law makers in early December are set to impact on a large number of businesses.

Political agreement on the draft Network and Information Security (NIS) Directive, which could still be amended, was reached by MEPs and representatives of EU  governments in early December. It means the path has been cleared for the new rules to be formally adopted in spring 2016. National laws implementing the Directive will need to be in effect two years after it comes into force.

The NIS Directive will impose new network and information security requirements on operators of essential services and digital service providers (DSPs). In addition, those organisations will be required to report certain security incidents to competent authorities or Computer Security Incident Response Teams (CSIRTs). Each EU country must establish these teams, the Directive says. Different security and incident reporting rules will apply to operators of essential services than to DSPs, with a lighter touch framework applicable to DSPs.

A recently published draft of the Directive helps to clarify which businesses can expect to be classed as ‘operators of essential services’ or as DSPs for the purposes of the new regime.

When will the NIS Directive apply?

Before considering which types of organisations will be deemed operators of essential services or DSPs under the Directive, a key point to note is that the Directive will not apply to all operators of essential services or DSPs.

Following negotiations between the EU’s legislative bodies the final version of the Directive acknowledges that some sector-specific EU regulatory regimes already deal with information and network security issues. The Directive says: “certain sectors of the economy are already regulated or may in the future be regulated by sector-specific Union legal acts” relating to information and network security.

Where this is the case, the NIS Directive will have no application, even if an organisation would otherwise be considered an operator of an essential service or a DSP. Only regulatory regimes which provide equivalent protection to that set out in the NIS Directive will qualify as a ‘sector-specific Union legal act’ that could apply instead of the provisions of the NIS Directive.


Read the full article here

Credit: The Register