On 13 March 2014, the European Parliament by a large majority passed the draft Network & Information Security (NIS) directive (also known as the draft cybersecurity directive). This draft directive was proposed by the European Commission on 7 February 2013, and is an essential axis of the cybersecurity plan proposed by the European Commission.
The purpose of the draft directive is to establish measures aimed at ensuring a high common level of network and information security across the Union. In order to do so, the Member States, the key internet service providers and the critical infrastructure operators will become partners in the obligation to ensure the security of the network and the information. For this purpose the draft NIS directive establishes certain obligations for Member States and cooperation mechanisms between them, and commits, under threat of sanctions, certain private operators to adopt certain practices in risk management and to notify the competent national authority of any incident that has a significant impact on the security of the essential services that they provide. The market operators subject to these new requirements may be divided into two groups:
•Providers of information society services (e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores, etc.); and
•Operators of critical infrastructures that are essential for the maintenance of vital economic and societal activities in the sectors of energy (suppliers, distribution and transport network operators, etc.), transport (air carriers, maritime carriers, railways, traffic management control operators, etc.), banking services, financial market infrastructures and health (hospitals and private clinics, etc.).
These market operators thus join, to a certain extent, telecommunications operators that pursuant to the ePrivacy directive already have specific obligations in security matters and in notification of security breaches.
The adoption of the draft NIS directive depends now on an agreement between the EU Parliament and the Council of the EU on a final text.
For related discussion, please see our article “L’obligation de transparence en cas de faille de sécurité” and our legal alert “Cybersecurity Executive Order Impacts Business.”