The European Parliament has formally adopted the Network and Information Security Directive (NIS Directive) at second reading.
The NIS Directive sets out security and reporting obligations for “operators of essential services” in sectors such as energy, transport, health, banking and drinking water supply. EU Member States will have to identify entities in these fields using specific criteria, e.g. whether the service is critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service. Some digital service providers – online marketplaces, search engines and cloud services – will also have to take measures to ensure the safety of their infrastructure and will have to report major incidents to national authorities.
The NIS Directive will enter into force 20 days after its publication in the Official Journal of the EU. EU Member States will then have 21 months to transpose the NIS Directive into their national laws and 6 additional months to identify operators of essential services.