Citation[]
European Union, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (July 6, 2016).
Overview[]
The Directive is the the first EU-wide rules on cybersecurity. It is the main legislative proposal under the 2013 EU Cybersecurity Strategy (Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace).
It requires companies in critical sectors — such as energy, transport, banking and healthcare — to adopt risk management practices and report major incidents that can affect the Digital Single Market to their national authorities which will, in turn, be able to carry out better capacity-building with greater cross-border cooperation inside the EU. It also obliges online market places, cloud computing services and search engines to take similar security steps. These rules will help to create the right conditions for people and businesses to use digital tools, networks and services in the EU with confidence.
The Directive will enter into force in August 2016. EU Member States will have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services.