This document is an excerpt from the EUR-Lex website
Cybersecurity of network and information systems
Go to the summaries’ table of contents
Cybersecurity of network and information systems
WHAT IS THE AIM OF THE DIRECTIVE?
It proposes a wide-ranging set of measures to boost the level of security of network and information systems (cybersecurity*) to secure services vital to the EU economy and society. It aims to ensure that EU countries are well-prepared and are ready to handle and respond to cyberattacks through:
It also establishes EU-level cooperation both at strategic and technical level.
Lastly, it introduces the obligation on essential-services providers and digital service providers to take the appropriate security measures and to notify the relevant national authorities about serious incidents.
Improving national cybersecurity capabilities
EU countries must:
EU countries must also put in place a national cybersecurity strategy for network and information systems*, covering the following issues:
The national competent authorities monitor the application of the directive by:
The CSIRTs are responsible for:
Security and notification requirements
The directive aims to promote a culture of risk management. Businesses operating in key sectors must evaluate the risks they run and adopt measures to ensure cybersecurity. These companies must notify the competent authorities or CSIRTs of any relevant incident, such as hacking or theft of data, that seriously compromises cybersecurity and has a significant disruptive effect on the continuity of critical services and the supply of goods.
To determine incidents to be notified by providers of essential services*, EU countries should take into account an incident’s duration and geographical spread, as well as other factors, such as the number of users relying on that service.
Key digital service providers (search engines, cloud computing services and online marketplaces) will also have to comply with the security and notification requirements.
Improving EU-level cooperation
The directive sets up the cooperation group whose tasks include:
It also sets up the CSIRT network comprising representatives of EU countries’ CSIRTS and the Computer Emergency Response Team (CERT-EU). Its tasks include:
EU countries must apply effective, proportionate and dissuasive penalties to ensure that the terms of this directive are applied.
FROM WHEN DOES THIS DIRECTIVE APPLY?
It applies from 8 August 2016. EU countries have to incorporate it into national law by 9 May 2018, and identify providers of essential services by 9 November 2018.
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, pp. 1-30)
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact (OJ L 26, 31.1.2018, pp. 48-51)
Commission Implementing Decision (EU) 2017/179 of 1 February 2017 laying down procedural arrangements necessary for the functioning of the Cooperation Group pursuant to Article 11(5) of the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (OJ L 28, 2.2.2017, p. 73-77)
Communication from the Commission to the European Parliament and the Council: Making the most of NIS – towards the effective implementation of Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (COM(2017) 476 final 2, 4.10.2017)
Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, pp. 36-58)
Joint communication to the European Parliament and the Council — Resilience, Deterrence and Defence: Building strong cybersecurity for the EU (JOIN(2017) 450 final, 13.9.2017)
Commission staff working document — Assessment of the EU 2013 cybersecurity strategy (SWD(2017) 295 final, 13.9.2017)
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73-114)
Council Decision 2013/488/EU of 23 September 2013 on the security rules for protecting EU classified information (OJ L 274, 15.10.2013, pp. 1-50).
Successive amendments to Decision 2013/488/EU have been incorporated into the original document. This consolidated version is of documentary value only.
Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, pp. 8-14)
Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (OJ L 165, 18.6.2013, pp. 41-58)
Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions — Cybersecurity Strategy of the European Union: An open, Safe and Secure Cyberspace (JOIN(2013) 1 final, 7.2.2013)
last update 01.03.2018