Negotiators of the European Parliament, the Council and the Commission have agreed on the first EU-wide legislation on cybersecurity.

Information systems – computing resources such as networks and databases that enable essential services, businesses and the internet to function – are affected by an increasing number of security incidents. These incidents can have different origins, including technical failures, unintentional mistakes, natural disasters or malicious attacks. They could disrupt the supply of essential services we take for granted such as electricity, water, healthcare, or transport services.

It is a priority for the Commission to help prevent these incidents, and in case they occur, provide the most efficient response. This is why the Commission put forward in 2013 a proposal for a Directive to ensure a high common level of network and information security (NIS) in the EU. The European Parliament and the Luxembourg Presidency of the EU Council of Ministers last night reached an agreement on the rules which will:

• improve cybersecurity capabilities in Member States
• improve Member States' cooperation on cybersecurity
• require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to the national authorities

Andrus Ansip, European Commission Vice-President for the Digital Single Market, welcomed the agreement: "Trust and security are the very foundations of a Digital Single Market. If we want people and businesses to use and make the most of connected digital services, they need to trust them to be secure in the case of attack or failure. The internet knows no border – a problem in one country can have a knock-on effect in the rest of Europe. This is why we need EU-wide cybersecurity solutions. Last night's agreement is an important step in this direction, but we cannot stop here: we plan an ambitious partnership with the industry in the coming months to develop more secure products and services."

Günther H. Oettinger, Commissioner for the Digital Economy and Society, said: "Congratulations to Parliament's negotiation team and to the Luxemburgish Presidency of the Council. The agreement constitutes a major step in improving the resilience of our network and information systems in Europe, one of the objectives of the EU cybersecurity strategy and a cornerstone of our efforts towards creating a Digital Single Market. Improving cooperation and information exchange between Member States is a key element of the agreed rules and will help us tackle the increasing number of cyber-attacks. Cybersecurity is essential in today’s European digital economy and society – and it remains a permanent challenge. We will remain active in this area, and come, in the first half of 2016, with a proposal to establish a public-private partnership on cybersecurity in the area of technologies and solutions for online network security."

Next steps

Following this political agreement, the text will have to be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.

The Commission will build on this achievement to launch a public-Private partnership on cybersecurity in 2016,as announced in the Digital Single Market strategy in May.

Cornerstones of the NIS Directive

Improving national cybersecurity capabilities

Member States will be required to adopt a national NIS strategy defining the strategic objectives and appropriate policy and regulatory measures in relation to cybersecurity. Member States will also be required to designate a national competent authority for the implementation and enforcement of the Directive, as well as Computer Security Incident Response Teams (CSIRTs) responsible for handling incidents and risks.

Improving cooperation

The Directive will create a ‘Cooperation Group’ between Member States, in order to support and facilitate strategic cooperation and the exchange of information among Member States and to develop trust and confidence amongst them. The Commission will provide the secretariat for the Cooperation Group. The Directive will also create a network of Computer Security Incident Response Teams, known as the CSIRTs Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks. The EU Agency for Network and Information Security (ENISA) will provide the secretariat for the CSIRTs Network.

ENISA will play a key role in many aspects of the Directive, particularly in relation to cooperation

Security and notification requirements for operators of essential services

Businesses with an important role for society and economy, referred in the Directive as "operators of essential services", will have to take appropriate security measures and to notify serious incidents to the relevant national authority.

The Directive will cover such operators in the following sectors:

• Energy: electricity, oil and gas
• Transport: air, rail, water and road
• Banking: credit institutions
• Financial market infrastructures: trading venues, central counterparties
• Health: healthcare providers
• Water: drinking water supply and distribution
• Digital infrastructure: internet exchange points (which enable interconnection between the internet's individual networks), domain name system service providers, top level domain name registries

  Member States will identify these operators on the basis of criteria, such as whether the service is essential for the maintenance of critical societal or economic activities.

  Security and notification requirements for digital service providers

  Important digital businesses, referred to in the Directive as "digital service providers" (DSPs), will also be required to take appropriate security measures and to notify incidents to the competent authority. The Directive will cover the following providers:

• Online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online)
• Cloud computing services
• Search engines

  In line with the objectives of the Digital Single Market strategy, the Directive aims to establish a harmonised set of requirements for digital service providers, so that they can expect similar rules wherever they operate in the EU.

Background

The Network and Information Services (NIS) Directive was the main legislative proposal under the 2013 EU Cybersecurity Strategy (read the press release and a Q&A on the announcement).

The European Parliament voted on its first reading of the draft legislation in March 2014 (see statement). The Council adopted its negotiating mandate under the current Luxembourg Presidency on 4 December 2015 following progress under the Latvian Presidency (see Council press release). Negotiations between the institutions led to an agreement last night.