The new EU Network and Information Systems Directive has entered in force
24/10/2016

The NIS (network and information systems) Directive was adopted on 6 July 2016 and entered into force on 8 August 2016. This is the first European-wide legislation on cybersecurity.

Andrus Ansip, the EU Commission Vice- President for the Digital Single Market declared, “If we want people and businesses to make the most of digital services, they need to trust them. A Digital Single Market can only be created in a secure online environment.” The Directive aims to generate a global approach towards cybersecurity in Europe based on common, minimum capacity-building and planning requirements, exchange of information, cooperation, and common security and notification requirements for operators of essential services and digital service providers. To these ends, the NIS Directive also set up two working groups: (i) the Cooperation Group to facilitate cooperation and exchange of information between Member States and (ii) a network of computer security incident response teams (a “CSIRTs network”).

The NIS Directive applies to both digital service providers and operators of essential services. The latter will have to be identified by Members States and can be private or public entities operating in the following industries: energy, transportation, banking and financial markets, health care, drinking water supply and distribution, and digital infrastructure. Digital service providers include online market places (e.g. e-commerce platforms), cloud computing services, and online search engines. Because digital service providers bear a lesser risk than operators of essential services, the security obligations imposed on them are lighter. It is also worth mentioning that hardware manufacturers and software developers do not qualify as operators of essential services. In addition, micro- and small-enterprises do not have to abide by the requirements imposed on digital service providers, although they would qualify as such.

A Member State will have jurisdiction over the operators of essential services that it will have identified as such, as well as over digital service providers having their main establishment in this Member State, i.e. generally if the provider has its head office in that country. A digital service provider based outside the EU can also fall under the scope of the NIS Directive if it offers services within the EU (the mere accessibility in the EU of the service offered or an intermediary’s website being not sufficient). In such scenario, this non-EU entity will have to designate a representative in the Member State where it offers its services.

Member States have now up to 9 May 2018 to implement in their national laws the provisions of the NIS Directive. Companies should, as from now, get themselves prepared and ask themselves whether they fall under the scope of the NIS Directive. If they do, they should start reviewing their security processes and follow the implementing laws and practical guidance closely that will be adopted in their respective countries.

Zie ook : Stibbe ( Ms. Carol Evrard )

[+ https://www.stibbe.com/en/news/2016/october/the-new-eu-network-and-information-systems-directive-has-entered-in-force]


Alle artikels Europees recht

Laatste artikels Europees recht

ECB launches digital euro project
02/08/2021

The European Central Bank has officially launched its digital euro project. But there is still a long way to go before dig...

ECB launches digital euro project Read more

European Commission unveils its 'Fit for 55' package
23/07/2021

On Wednesday 14 July 2021, the European Commission took a major step to accomplish its ambitious goal of making Europe the...

European Commission unveils its 'Fit for 55' package Read more

Draft revised vertical regulation and guidelines
22/07/2021

The European Commission takes a hard line against online platforms, dual distribution and MFNs

Draft revised vertical regulation and guidelines Read more

EU and US Merger review and privacy law: Does the Google/Fitbit decision draw a line in the sand?
19/07/2021

The interplay between merger enforcement and privacy policy has recently attracted significant attention. The key question...

EU and US Merger review and privacy law: Does the Google/Fitbit decision draw a line in the sand? Read more

Laatste artikels van Ms. Carol Evrard

Article 29 Working Party guidelines on data portability, data protection officers, and lead super...
27/02/2017

The General Data Protection Regulation (“GDPR”) will come into effect on 25 May 2018. It will have  signi...

Read more

EU Code of Conduct for mobile health apps almost finalized
01/11/2016

A code of conduct for mobile health (mHealth) apps has been drafted by the European Commission (the “Code of Conduct...

Read more

GDPR: Cross-border transfers - don’t be on the wrong track!
04/07/2016

The virtual world has no borders, and we often do not realize the massive data flows generated within companies operating ...

Read more

Watch out for your drone: new Belgian Royal Decree is out!
27/04/2016

The Royal Decree on the use of drones in the Belgian airspace has come into force on 25 April 2016. The Royal Decree autho...

Read more

LexGO Network