New EU Cybersecurity Rules have been approved. The European Parliament and the Council of Ministers have agreed on the Network and Information Security Directive (NIS) that will tackle cybersecurity in the European Union. It has an impact on critical service companies (like a bank) and ISPs. The NIS will create certain structures. It is important because it creates the first common EU policy on this topic. Any multi-jurisdictional organisation should take note of it and consider its impact. It also has some provisions similar to the Cybercrimes Bill.

Critical Service Companies

These EU Cybersecurity Rules place some obligations on certain companies. Companies that provide critical services in the energy, transport, banking, financial markets, health, and water supply industries, will have to ensure that their IT infrastructure is secure enough to resist attacks. They will have to report serious security breaches to the public authorities. Member states will have to identify concrete ‘operators of essential services’ from these industries using specified criteria. This aspect of the Network and Information Security Directive is very similar to the National Critical Information Infrastructure in the Cybercrimes Bill.

Internet Service Providers

Internet Service providers  such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety and security of their infrastructure. They will also have to report major incidents. This is similar to the general obligations placed on ECSPs in the Cybercrimes and Cybersecurity Bill. According to the deal, smaller digital companies will get an exemption.


The EU Cybersecurity Rules creates structures and fosters cooperation similar to the CAC Bill. The rules set up a way for member states to exchange information and best practices, draw up guidelines and assist each other in cybersecurity matters. Additionally, a network of Computer Security Incidents Response Teams (CSIRTs) must be created by each member state to handle incidents. This response teams will discuss cross-border security incidents and identify coordinated responses.

This is the first common EU policy on Cybersecurity

Next steps

The Network and Information Security Directive has only been provisionally agreed upon. It still needs to be formally approved by the EU Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives. Once approved, it will be published and official.