On July 6, 2016, the European Parliament passed the Network and Information Security (“NIS”) Directive, over three years after the initial draft was proposed. The Directive will enter into force in August 2016. EU Member States will then have 21 months to transpose the Directive into their national laws and 6 additional months to identify the operators of certain essential services that are subject to the Directive’s requirements.
On December 7, 2015, more than two and a half years after the first draft, the European Union Council finally reached an important, informal agreement with the Parliament on important network and information security rules (“NIS-Directive”) affecting companies across the EU. The culmination of the European Commission’s Cybersecurity strategy effort that began in February 2013 with the European Commission’s proposed draft directive on measures to ensure a common level of network and information security. Final adoption of the NIS-Directive will have several important consequences, including increased focus by Boards of Directors of cybersecurity risk, the need for companies to increase their investment in information security, to prepare and implement cybersecurity incident response plans, to conduct internal comprehensive investigations into the circumstances of a cybersecurity event in order to comply with forthcoming reporting obligations.