13 July 2016

European Parliament adopts EU cybersecurity directive: beware of early implementation

The European Parliament approved the final text of the EU Network and Information Security Directive (NIS Directive) on 6 July 2016. This marks the final stage of a three-year legislative process on the first EU-wide rules on cybersecurity. The NIS Directive introduces new information security and notification obligations for operators of essential services and key digital service providers. Although member states have approximately two years to transpose the NIS Directive into national law, the Netherlands plans to introduce some obligations as early as the end of 2016 – beginning 2017 under the recently proposed Cybersecurity Breach Notification Bill. Businesses operating in key sectors of the economy should review and update their cybersecurity policies and processes and prepare for the new obligation to report serious cybersecurity incidents to supervisory authorities.

As we reported last month, the NIS Directive is expected to enter into force in August 2016. Member states will then have 21 months to transpose the NIS Directive into their national laws. The NIS Directive applies to two categories of market players: operators of essential services and key digital content providers. The member states will have six additional months to identify the relevant operators in the sectors defined in Annex II of the NIS Directive. These include the energy, banking, financial market infrastructure, drinking water supply, transportation, healthcare and digital infrastructure sectors. Relevant operators and providers will be required to: take appropriate technical and organisational measures to prevent risks of network and information incidents; ensure the security of network and information systems; and notify serious cyber incidents or loss of integrity of vital electronic information systems to competent supervisory authorities.

This mandatory notification of serious cybersecurity incidents to supervisory authorities will most likely be imposed by the Dutch Cybersecurity Breach Notification Bill as early as the end of 2016 – early 2017. As under the NIS Directive, further regulation will identify specific businesses that meet the “vital provider” definition under the Bill. The Dutch government recently issued a memorandum regarding the Bill that includes an updated list of providers, products and services that will be used by the Dutch government for identifying vital providers. This list is shorter than the earlier version proposed in May 2015 and currently does not include ICT or telecom service providers, payment services or large-scale processing of chemicals. However, the government indicated that not all relevant sectors are currently on the list but will be added at the later stage.

We recommend that businesses operating in the relevant industries closely monitor the national implementation measures by the member states, as other countries may take the Dutch approach in early implementation. We also suggest timely adopting appropriate cybersecurity policies and implementing risk-based incident response procedures.

Read more in our articles on the NIS Directive and on the Dutch Cybersecurity Breach Notification Bill.