Approved by MEPs this week, the new rules aim to help EU member states to tackle the growing number of cyber attacks.

Setting common cybersecurity standards and stepping up cooperation among EU countries will help firms to protect themselves, and also help prevent attacks on EU countries’ interconnected infrastructure, say MEPs.

“Cybersecurity incidents very often have a cross-border element and therefore concern more than one EU member state. Fragmentary cybersecurity protection makes us all vulnerable and poses a big security risk for Europe as a whole. This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyber-attacks on Europe’s important interconnected infrastructures in the future”, said Parliament's rapporteur Andreas Schwab (EPP, DE).

The EU network and information security (NIS) directive lays down security and reporting obligations for “operators of essential services” in sectors such as energy, transport, health, banking and drinking water supply.  EU member states will have to identify entities in these fields using specific criteria, e.g. whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.

Some digital service providers – online marketplaces, search engines and cloud services – will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities. The security and notification requirements are, however, lighter for these providers. Micro- and small digital companies will be exempted from these requirements.

The NIS directive will soon be published in the EU Official Journal and will enter into force on the twentieth day after publication. Member states will then have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.