May 17, 2016
European ministers formally adopted new cybersecurity legislation on Tuesday morning—paving the way for national laws in the next two years.
Under the Network and Information Security Directive, so-called “essential services” operators and “digital service providers”—including online marketplaces, search engines, and cloud services—will have to take measures to manage risks to their networks. They will be expected to notify national authorities about cyber incidents.
Each country in the 28-member-state bloc will also be required to designate at least one national authority to deal with cyber threats.
The question of which “digital service providers” would be included was a sticking point in drawing up the law. Under the final compromise, businesses that already fall under “sector-specific” regulation that deals with information and network security issues will be exempt. It will be up to each country to draw up a list of companies or to set out other “objectively quantifiable criteria” to determine which organisations will be subject to the law.