On July 6, 2016, the EU Parliament adopted a directive of the security of network and information systems. The NIS Directive aims to promote a common level of security of network and information systems across the EU through improved cybersecurity measures at the national level, increased cooperation within the EU, and risk management and incident reporting by “operators of essential services” and “digital service providers.” EU member states will have 21 months to transpose the NIS Directive into their national laws, and an additional six months to identify covered service providers.
Each EU member state will first adopt a national strategy on the cybersecurity and appoint a cybersecurity regulatory agency to monitor the application of the measures at the national level. They will then establish rules for operators of essential services, which include businesses with an important role for the society and economy. Such operators will be required to undertake appropriate network security measures and to notify the regulators of serious incidents. The required security measures will include those aimed at prevention of risks, establishing network security, and handling of security incidents. Likewise, digital service providers (i.e., online marketplace operators, cloud service providers, search engines, etc.) will also be required to implement similar measures and report substantial incidents to the national authorities.
While IP telephony providers are not specifically covered by the NIS Directive, it is possible that they and other electronic communications service providers may be covered when the NIS Directive is transposed into national laws. Hosted or managed service providers with cloud service platforms will likely also be covered, and should track implementation of the directive in the EU jurisdictions in which they operate so as to prepare for these new obligations.
Edited by Stefania Viscusi