Teal blue graphic

Cyber security: new Directive adopted by the EU Council

The EU Council, which represents the executive governments of the EU's member states, formally adopted new rules to improve the security of network and information systems across the EU, on 17 May 2016.  It is expected that the Network and Information Security Directive (NISD) will come into force in August 2016. 

The aim of the Directive

Cyber security incidents or breaches can have a major impact on the operation of companies and the EU's economy as a whole. High profile incidents over the last few years have included a significant cyber attach in 2015 against Talk Talk and the notorious attack on the Sony PlayStation Network Platform in 2011.

The NISD aims to establish a high common level of network and information security across the EU and help sectors depending on IT systems to be more reliable and stable. This will be achieved by introducing more consistent risk management measures and systematic reporting of incidents.

Key requirements

The NISD will require "operators of essential services" in critical sectors, such as energy, transport, banking, financial market, health and water supply, to ensure that their systems are robust enough to minimise cyber security risks. The rules laid down by the NISD will also apply to digital service providers including all operators of e-commerce platforms, search engines and cloud services.

Operators of essential services will be required to take "appropriate and proportionate technical and organisational measures" to ensure that their systems can manage the risks posed to the information and network systems, which they use in their operations. Competent authorities in each European country will determine the precise measures to be taken and be able to demand documented security policies as evidence of their compliance with the Directive. Operators will also need to notify the national competent authority of any NIS incidents or breaches that may have a significant impact on the services that they provide.  

Digital service providers must report any incident that may have a substantial impact on the security of the network and information systems that they use to offer their services. 

Member States of the EU will be required to designate a competent national authority to be in charge of the security of network and information systems, and employ a national cyber security strategy in compliance with the EU framework. 

Next steps

It is expected that the NISD will be approved by the European Parliament in July and come into force in August 2016.  EU Member States will then have 21 months to transpose the requirements into national law and a further 6 months to identify operators of essential services.  


If your business is likely to be subject to the NISD, it is advisable to carry out internal assessments as soon as possible to ensure that your network and information security practices comply with the increased security measures required by the new EU regime. 

In particular, you should review and update your cyber security policies and ensure that relevant staff are aware of their responsibilities for assessing and reporting any cyber incidents promptly.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all