Cybersecurity - EU Directive on the security of networks and information systems (NIS)

The EU Parliament adopted on July 6, 2016 the EU Directive on security of networks and information systems (NIS Directive) which came into force in August this year and benefits of a period of 21 months to be implemented by Member States.

The Direcive is part of the 2013 EU Cybersecurity Strategy. The purpose of the NIS Directive is to ensure a common level of security of networks and information systems in the EU and requires operators or digital service providers to adopt appropriate measures for preventing and managing the risk and report serious incidents to national competent authorities.

The beneficiaries of this Directive are:

  • Operators of critical infrastructures in the following sectors: energy, transport, banking, financial market infrastructure, health, water, infrastructure, digital


  • Certain digital businesses that are considered to be of general importance when it comes to cybersecurity (so-called ‘digital service providers’ – “DSP”): online marketplaces (which allow businesses to set up shops on the marketplace in order to make their products and services available online), cloud computing services and search engines.

Measures to be implemented:

  • Technical and organizational measures which are appropriate and proportional to the risk;
  • Measures should ensure a level of security of network and information systems appropriate to the risks;
  • Measures to prevent minimize the impact of incidents on IT systems used to provide services.

The Directive requires Member States to develop their own strategies in cyber security by defining policies in this regard, developing national legal framework and appointment of the national competent authorities. In order to ensure adequate cross–border cooperation with the relevant authorities in other Member States a national single point of contact must be designated which will exercise a liaison function.