On 10 February 2016 the final draft text of a proposed directive on network and information security (NIS) was submitted to the European Council, setting the path to an early second reading of the directive in Parliament in Q2 2016.

The NIS Directive will require ‘operators of essential services’ to meet a minimum set of network and IT security standards and best practice. Companies affected will include critical infrastructure operators in sectors such as financial services, transport, energy and health, IT service companies, including app stores, e-commerce platforms, e-health platforms, internet payment platforms, cloud computing platforms, search engines and social networks. The Directive will require each Member State to ensure that relevant companies take appropriate technical and organisational measures to manage cybersecurity risks and implement steps to minimise the impact of incidents. In the event of an incident, relevant companies will be required to notify and report to a competent national authority without delay, which will in turn inform the authorities in other Member States.

The measures to be taken by critical infrastructure operators will be required to cover security of systems and facilities, incident management, business continuity management, monitoring auditing and testing and compliance with technical standards.

Companies falling within the scope of the Directive will be subject to the jurisdiction of the Member State where it has its main EU establishment – its headquarters. Non-EU entities will be required to nominate a representative in the EU.

Richard Clegg