The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year. Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:
- designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
- certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.
* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August