The European Directive on Security of Network and Information Systems (“NIS Directive”) is the EU’s first move to bring the cybersecurity legislation to a high standard across all EU Member States. The Directive was adopted on 6 July 2016 and the Member States have until May 2018 for adopting the NIS’ requirements into their local national laws, which also requires identifying the operators of essential services who are required to comply with the NIS Directive’s requirements. This includes operators in the sectors of banking & finance, digital infrastructure, drinking water supply and distribution, energy, health, infrastructures and transport. The Member States will therefore also have to compile a list of organizations in those fields and identify them as “essential service providers”.
As of 12 September 2017, the following Member States had already adopted the NIS Directive:
- Czech Republic: The Czech NIS Implementation Act entered into force on 1 August 2017 and specified the criteria for identifying operators of essential services in the following sectors: energy, transportation, banking, financial markets infrastructure, healthcare, water management, digital infrastructure and chemical industry. As the NIS Directive’s primary requirements already were covered by the prior Czech Cybersecurity Act since 1 January 2015, the amendments required under the NIS Directive were rather minor.
- Germany: The German Czech NIS Implementation Act entered into force on 24 June 2017 and specified the criteria for identifying operators of essential services in the following sectors: finance & insurance, health, transportation & traffic, energy, IT and telecoms, water and food. As the NIS Directive’s primary requirements already were covered by the prior German 2015 IT Security Act, the amendments required under the NIS Directive were rather minor.
The other Member States have not yet adopted the NIS Directive into their national laws and their implementation stages vary.