First EU-wide Legally Binding Cybersecurity Directive Becomes National Law

European CommissionToday, 9 May 2018, is the deadline for the Directive on Security of Network and Information Systems (NIS Directive) to become a national law in all EU countries. It is a landmark occasion, since the NIS Directive is the first piece of legislation on cybersecurity that is legally binding in all EU member states. The Directive establishes a high common level of security of network and information systems across the EU.

European Commission Vice-President, Andrus Ansip, with Commissioners Dimitris Avramopoulos, Julian King and Mariya Gabriel, issued a joint statement praising the adoption of the Directive. They also stressed that “to further boost the Union's cybersecurity, the EU should swiftly give a strong and permanent mandate to its Agency for Cybersecurity, the European Union Agency for Network and Information Security (ENISA) and establish an EU framework for cybersecurity certification. Together with Member States we should also complete the joint work on the blueprint for cooperation in the event of large scale cross-border cybersecurity incidents and crises that mainstreams cybersecurity to existing crisis management mechanisms at EU level. The Connecting Europe Facility (CEF) programme is providing €38 million in funding until 2020 to support NIS Directive stakeholders."

The Directive was adopted in August 2016 and is a major part of the effort to scale up the EU's cybersecurity capabilities.

Member States will have a further six months to identify operators of essential services that will fall in the scope of the Directive – businesses that operate in sectors vital for the economy and society and rely strongly on ICTs.

The full statement can be found on the website of the European Commission, which has also produced a concise factsheet on the NIS Directive.