Skip to the content

EU adopts new cyber security rules


Ministers back plan for national strategies and European-wide mechanism for cooperation

Member states of the EU have agreed on a new Network and Information Security Directive aimed at raising their collective game on cyber security.

The European Council has agreed with the first reading of a draft that was passed by the European Parliament last December, laying the way for it to go back for a second reading in time for it to enter into force in August of this year.

Among its features are a minimum level of security for digital technologies, networks and services across the EU, and proposals for specified organisations and businesses to report significant cyber security incidents.

The UK is already dealing with one of the key measures outlined in the directive – for member states to adopt a network and information security strategy, and designate a national authority to prevent, handle and respond to risks and incidents.

Last autumn’s Spending Review provided £1.9 billion to support cyber security, and the Government is working on a national strategy to follow the one for 2011-16, the final report of which was recently published. It is also setting up a National Cyber Security Centre.

Share warnings

Other proposals are for the creation of a cooperation mechanism among member states to share early warnings on risks and incidents, and for certain digital companies and services to adopt risk management practices and report major incidents to national authorities.

While the directive leaves details to the member states, it reflects the merging of government organisations and some private sector operations in providing the national digital infrastructure. Business streams such as IT service companies, transport, energy and healthcare are included in the directive.

The European Council statement said the Netherlands, which currently holds the presidency, has begun to work with the EU Agency for Network and Information Security (Enisa) on the implementation of the directive. Two meetings of the incident response teams have already taken place.

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.