The Channel logo


By | Kieren McCarthy 18th May 2016 17:57

Europe adopts new cybersecurity rules for key players

New obligations on providers of essential services

The European Council has adopted new cybersecurity rules to make networks and information services across the European Union safer and more secure.

The network and information security (NIS) directive [PDF] will require providers of essential services – such as energy, transport, health and finance – and "digital service providers" – such as online marketplaces, search engines and cloud services – to take steps to reduce the risk of cyber attacks and to report any major security incidents.

Member states will specifically identify who they believe fits into the essential services group through criteria listed in the directive and they will be subject to stricter rules.

Weaker rules will apply to digital service providers and the rules will apply to anyone in the various identified market sectors with an exemption for small companies. It means Paypal, Amazon and so on will need to meet a new set of minimum security measures devised by the EU.

"This is an important step towards a more coordinated approach in cybersecurity across Europe," said Council president and Luxembourg prime minister Xavier Bettel.

"All actors, public and private, will have to step up their efforts, in particular by increased cooperation between member states and enhanced security requirements."

As part of the agreement, EU member states have agreed to improve cooperation when it comes to cybersecurity. A new group will be created to make that happen, as well as a new network pulling together the national computer security incident response teams (CSIRTs).

The agreement still has to be officially confirmed by member states. It will be formally approved on December 18 – almost exactly one year since the idea was first mooted – and will then also require formal adoption by the Council and Parliament.

Once in force, member states will have 21 months to adopt the measures with a further six months to identify essential service operators. That all means that starting in 2017, Europe's overall cybersecurity will increase, with all measures in place by the middle of 2019. ®

comment icon Read 3 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe