After a 5-hour round of talks between the EU co-legislators, the Council and the EP, and the European Commission, a deal has been struck late night on Monday 7 December on EU´s first set of cyber-security rules. The Network and Information Security (NIS) directive was proposed by the EC in 2013. Its aim is to introduce a single set of cyber-security rules for critical network infrastructure providers, such as electricity grids, airports, railways, banks, internet exchange points or water distributors, concerning. Cyber-attack attempts will have to be reported to national authorities, which will then share the information within the EU. This reporting obligation will also apply to some online service providers – big marketplaces (such as eBay, Amazon), search engines and cloud computing providers. Interestingly, though, it does not require reporting from social networks providers or online payments providers. The directive also establishes better communication and coordination between member states on cyber security – a network of national Computer Security Incident Response Teams (CSIRTs) will be created with the aim to share the cyber-attacks intelligence and best practices.

The informal deal will be submitted to EP committee and Council´s COREPER this week for approval. Then, the EP plenary and the ministerial Council will formally adopt the directive (expected early next year). Once the directive is in force, member states will have 21 months to transpose it into national legislations, and further 6 months to identify critical infrastructure providers.

With PNR and NIS rules now agreed by EP and Council, the momentum is there for an agreement before the end of the year on the data protection package, too.

For more, click here, here, here and here.